Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LMm6yxQtcf.exe

Overview

General Information

Sample name:LMm6yxQtcf.exe
renamed because original name is a hash value
Original sample name:f8323b929f41ccf03233ed133d14d3b8d4e44ce842db4abf744f7cc96dd8d841.exe
Analysis ID:1569362
MD5:49e51c7694ea172c357db1cabd2300b7
SHA1:ec874a5836119b7b82aa8ba50e0410bed0e51a8f
SHA256:f8323b929f41ccf03233ed133d14d3b8d4e44ce842db4abf744f7cc96dd8d841
Tags:exeuser-adrian__luca
Infos:

Detection

PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected PureLog Stealer
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LMm6yxQtcf.exe (PID: 7956 cmdline: "C:\Users\user\Desktop\LMm6yxQtcf.exe" MD5: 49E51C7694EA172C357DB1CABD2300B7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
LMm6yxQtcf.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    LMm6yxQtcf.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
      LMm6yxQtcf.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        LMm6yxQtcf.exeMALWARE_Win_zgRATDetects zgRATditekSHen
        • 0x5558b:$s1: file:///
        • 0x55477:$s2: {11111-22222-10009-11112}
        • 0x5551b:$s3: {11111-22222-50001-00000}
        • 0x50feb:$s4: get_Module
        • 0x516cb:$s5: Reverse
        • 0x4b59b:$s6: BlockCopy
        • 0x51b43:$s7: ReadByte
        • 0x5559d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000005.00000000.1268602080.0000000000EE2000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Process Memory Space: LMm6yxQtcf.exe PID: 7956JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: LMm6yxQtcf.exe PID: 7956JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  5.0.LMm6yxQtcf.exe.ee0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                    5.0.LMm6yxQtcf.exe.ee0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      5.0.LMm6yxQtcf.exe.ee0000.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                      • 0x5558b:$s1: file:///
                      • 0x55477:$s2: {11111-22222-10009-11112}
                      • 0x5551b:$s3: {11111-22222-50001-00000}
                      • 0x50feb:$s4: get_Module
                      • 0x516cb:$s5: Reverse
                      • 0x4b59b:$s6: BlockCopy
                      • 0x51b43:$s7: ReadByte
                      • 0x5559d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: LMm6yxQtcf.exeAvira: detected
                      Multi AV Scanner detection for submitted file
                      Source: LMm6yxQtcf.exeReversingLabs: Detection: 65%
                      Machine Learning detection for sample
                      Source: LMm6yxQtcf.exeJoe Sandbox ML: detected

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LMm6yxQtcf.exe PID: 7956, type: MEMORYSTR
                      Source: LMm6yxQtcf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: LMm6yxQtcf.exe, 00000005.00000002.1400679565.0000000000F4C000.00000040.00000001.01000000.00000003.sdmp
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior

                      Networking

                      barindex
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: LMm6yxQtcf.exe, type: SAMPLE
                      Source: global trafficTCP traffic: 192.168.2.10:49727 -> 5.42.92.0:5555
                      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Content-Type: application/jsonHost: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Content-Type: application/jsonHost: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.92.0
                      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Content-Type: application/jsonHost: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Content-Type: application/jsonHost: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1425651221.0000000008C0D000.00000004.00000800.00020000.00000000.sdmp, LMm6yxQtcf.exe, 00000005.00000002.1425651221.00000000087D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1425651221.0000000008805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1425651221.0000000008C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.comd
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: LMm6yxQtcf.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
                      Source: 5.0.LMm6yxQtcf.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                      PE file contains section with special chars
                      Source: LMm6yxQtcf.exeStatic PE information: section name:
                      Source: LMm6yxQtcf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_040002C85_2_040002C8
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_040023D15_2_040023D1
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_040023E05_2_040023E0
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_04008DE35_2_04008DE3
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_04008DF05_2_04008DF0
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_040922915_2_04092291
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_040933805_2_04093380
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_040908785_2_04090878
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_040908885_2_04090888
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_063A66C05_2_063A66C0
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_063AC3385_2_063AC338
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_063AB1F05_2_063AB1F0
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_063A0ED85_2_063A0ED8
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_063A666F5_2_063A666F
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_063A12FD5_2_063A12FD
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_063A0EC85_2_063A0EC8
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_069554485_2_06955448
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_069515C05_2_069515C0
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_0695515A5_2_0695515A
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_0695EB705_2_0695EB70
                      Source: LMm6yxQtcf.exeStatic PE information: invalid certificate
                      Source: LMm6yxQtcf.exeBinary or memory string: OriginalFilename vs LMm6yxQtcf.exe
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1400648041.0000000000F44000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSteal1.exe, vs LMm6yxQtcf.exe
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1402924690.0000000001E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LMm6yxQtcf.exe
                      Source: LMm6yxQtcf.exe, 00000005.00000000.1268675290.0000000000F4A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSteal1.exe, vs LMm6yxQtcf.exe
                      Source: LMm6yxQtcf.exeBinary or memory string: OriginalFilenameSteal1.exe, vs LMm6yxQtcf.exe
                      Source: LMm6yxQtcf.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: LMm6yxQtcf.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: 5.0.LMm6yxQtcf.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                      Source: LMm6yxQtcf.exeStatic PE information: Section: ZLIB complexity 1.0169753086419753
                      Source: LMm6yxQtcf.exeStatic PE information: Section: ZLIB complexity 1.6
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@1/1@1/2
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LMm6yxQtcf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeMutant created: NULL
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeMutant created: \Sessions\1\BaseNamedObjects\gjtoyxXmwtECnWN
                      Source: LMm6yxQtcf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004322000.00000004.00000800.00020000.00000000.sdmp, LMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004334000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: LMm6yxQtcf.exeReversingLabs: Detection: 65%
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: LMm6yxQtcf.exeStatic file information: File size 5013292 > 1048576
                      Source: LMm6yxQtcf.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x461200
                      Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: LMm6yxQtcf.exe, 00000005.00000002.1400679565.0000000000F4C000.00000040.00000001.01000000.00000003.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeUnpacked PE file: 5.2.LMm6yxQtcf.exe.ee0000.0.unpack .text:ER; :R; :R;.imports:W;.rsrc:R;.themida:EW;.boot:ER;.taggant:ER; vs .text:ER; :R;
                      Source: LMm6yxQtcf.exeStatic PE information: 0xBF741A23 [Wed Oct 14 14:05:23 2071 UTC]
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                      Source: LMm6yxQtcf.exeStatic PE information: real checksum: 0x4c8284 should be: 0x4cfbe2
                      Source: LMm6yxQtcf.exeStatic PE information: section name:
                      Source: LMm6yxQtcf.exeStatic PE information: section name:
                      Source: LMm6yxQtcf.exeStatic PE information: section name: .imports
                      Source: LMm6yxQtcf.exeStatic PE information: section name: .themida
                      Source: LMm6yxQtcf.exeStatic PE information: section name: .boot
                      Source: LMm6yxQtcf.exeStatic PE information: section name: .taggant
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F4117 push 06419D6Dh; mov dword ptr [esp], ebp5_2_010F413B
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F1915 push ebx; mov dword ptr [esp], ecx5_2_010F1916
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F8124 push 5C0ACDD9h; mov dword ptr [esp], ecx5_2_010F8129
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F8124 push eax; mov dword ptr [esp], 70D78AFBh5_2_010F819E
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F8549 push eax; mov dword ptr [esp], 2E57332Dh5_2_010F857C
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F8549 push edi; mov dword ptr [esp], eax5_2_010F8591
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F6550 push edx; mov dword ptr [esp], ebx5_2_010F656B
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F7D7D push edx; mov dword ptr [esp], 736189C1h5_2_010F7D9D
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F4175 push edx; mov dword ptr [esp], ebx5_2_010F4176
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F4175 push 724B98B6h; mov dword ptr [esp], ebx5_2_010F41B3
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F4986 push 753B8C8Bh; mov dword ptr [esp], ebx5_2_010F498B
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F85AB push ecx; mov dword ptr [esp], edi5_2_0110D6CB
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F75A8 push 473C6DBCh; mov dword ptr [esp], edx5_2_010F75C4
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F75A8 push 50BFDE25h; mov dword ptr [esp], edi5_2_010F76B1
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F31BE push edi; mov dword ptr [esp], ebx5_2_010F31BF
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F45CF push 2C257EABh; mov dword ptr [esp], eax5_2_010F45D4
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F45CF push 58F446F5h; mov dword ptr [esp], edx5_2_010F45E8
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F45CF push 36BBEA27h; mov dword ptr [esp], ebx5_2_010F4609
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F7DDD push esi; mov dword ptr [esp], ebx5_2_010F7DFE
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F29D4 push eax; mov dword ptr [esp], ebx5_2_010F29D5
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F29D4 push edx; mov dword ptr [esp], ecx5_2_010F2A0A
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F41D3 push 37F1BCB1h; mov dword ptr [esp], ecx5_2_010F41D8
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F41D3 push ebx; mov dword ptr [esp], esi5_2_010F41DF
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F41D3 push 0FF3B52Fh; mov dword ptr [esp], ebx5_2_010F41F6
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F41D3 push 18438787h; mov dword ptr [esp], ebx5_2_010F4213
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F65D0 push 30221335h; mov dword ptr [esp], ecx5_2_010F66A0
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F81F6 push ecx; mov dword ptr [esp], 30A9ED2Ah5_2_010F81F7
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F81F6 push ebp; mov dword ptr [esp], edi5_2_010F8211
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F81F6 push eax; mov dword ptr [esp], ecx5_2_010F822A
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F1C2B push ecx; mov dword ptr [esp], ebx5_2_010F1C49
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeCode function: 5_2_010F782B push eax; mov dword ptr [esp], edi5_2_010F77D4

                      Boot Survival

                      barindex
                      Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow searched: window name: FilemonClassJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow searched: window name: RegmonClassJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow searched: window name: RegmonclassJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow searched: window name: FilemonclassJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeMemory allocated: 3FF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeMemory allocated: 4270000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeMemory allocated: 3FF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow / User API: threadDelayed 3092Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWindow / User API: threadDelayed 2888Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exe TID: 6944Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\Jump to behavior
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hyper-v
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1402924690.0000000001F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1410358547.00000000052C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeSystem information queried: ModuleInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeThread information set: HideFromDebuggerJump to behavior
                      Tries to detect sandboxes and other dynamic analysis tools (window names)
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeOpen window title or class name: regmonclass
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeOpen window title or class name: procmon_window_class
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeOpen window title or class name: filemonclass
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1402924690.0000000001F1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: LMm6yxQtcf.exe, type: SAMPLE
                      Source: Yara matchFile source: 5.0.LMm6yxQtcf.exe.ee0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.1268602080.0000000000EE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: LMm6yxQtcf.exe, type: SAMPLE
                      Source: Yara matchFile source: 5.0.LMm6yxQtcf.exe.ee0000.0.unpack, type: UNPACKEDPE
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
                      Source: LMm6yxQtcf.exe, 00000005.00000002.1409671773.000000000433C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\LMm6yxQtcf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: Yara matchFile source: 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: LMm6yxQtcf.exe PID: 7956, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: LMm6yxQtcf.exe, type: SAMPLE
                      Source: Yara matchFile source: 5.0.LMm6yxQtcf.exe.ee0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.1268602080.0000000000EE2000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: LMm6yxQtcf.exe, type: SAMPLE
                      Source: Yara matchFile source: 5.0.LMm6yxQtcf.exe.ee0000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		761
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)471
                      Virtualization/Sandbox Evasion                      		Security Account Manager471
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Obfuscated Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Software Packing                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging2
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Timestomp                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSync24
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      LMm6yxQtcf.exe66%ReversingLabsWin32.Infostealer.Tinba
                      LMm6yxQtcf.exe100%AviraHEUR/AGEN.1323826
                      LMm6yxQtcf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ip-api.comd0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/json/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://ip-api.com/LMm6yxQtcf.exe, 00000005.00000002.1425651221.0000000008805000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLMm6yxQtcf.exe, 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ip-api.comLMm6yxQtcf.exe, 00000005.00000002.1425651221.0000000008C0D000.00000004.00000800.00020000.00000000.sdmp, LMm6yxQtcf.exe, 00000005.00000002.1425651221.00000000087D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ip-api.comdLMm6yxQtcf.exe, 00000005.00000002.1425651221.0000000008C0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse
                                5.42.92.0
                                		unknownRussian Federation
                                		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1569362
                                Start date and time:2024-12-05 18:17:50 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:LMm6yxQtcf.exe
                                renamed because original name is a hash value
                                Original Sample Name:f8323b929f41ccf03233ed133d14d3b8d4e44ce842db4abf744f7cc96dd8d841.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@1/1@1/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 60%
                                • Number of executed functions: 149
                                • Number of non-executed functions: 10
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenFile calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: LMm6yxQtcf.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                12:18:49API Interceptor28x Sleep call for process: LMm6yxQtcf.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1aZPQ3mKZSa.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                GZC0n65Ggl.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                aU1TV97585.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                mG93k6iBl4.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • ip-api.com/line/?fields=hosting
                                OFFcN5333E.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                m30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                Z4ChhoiwJW.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                rTransferenciad.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                downloader2.htaGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.comaZPQ3mKZSa.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                GZC0n65Ggl.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                aU1TV97585.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                mG93k6iBl4.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 208.95.112.1
                                OFFcN5333E.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                m30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Z4ChhoiwJW.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                rTransferenciad.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                downloader2.htaGet hashmaliciousXWormBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUstage-0.bin.exeGet hashmaliciousGCleanerBrowse
                                • 5.42.65.115
                                yakuza.ppc.elfGet hashmaliciousUnknownBrowse
                                • 5.42.81.47
                                1730537044dd01929d6467da9e0bc05cd98b8bc5df2688589dd2eaebbc46df2ed3bf068fc2733.dat-decoded.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 45.15.158.112
                                QmFIR949GC.exeGet hashmaliciousRedLineBrowse
                                • 5.42.92.74
                                CFYd8cbC6L.exeGet hashmaliciousRedLineBrowse
                                • 5.42.92.74
                                AdmalRLZI0.exeGet hashmaliciousRedLineBrowse
                                • 5.42.92.74
                                SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exeGet hashmaliciousUnknownBrowse
                                • 5.42.66.119
                                b2smJKgMG6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 5.42.92.37
                                Payment Advicegpj..exeGet hashmaliciousUnknownBrowse
                                • 5.42.94.169
                                Payment Advicegpj..exeGet hashmaliciousUnknownBrowse
                                • 5.42.94.169
                                TUT-ASUSaZPQ3mKZSa.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                GZC0n65Ggl.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                aU1TV97585.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                mG93k6iBl4.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 208.95.112.1
                                OFFcN5333E.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                m30zZYga23.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Z4ChhoiwJW.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                rTransferenciad.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                downloader2.htaGet hashmaliciousXWormBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LMm6yxQtcf.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\LMm6yxQtcf.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1795
                                Entropy (8bit):5.332236526324957
                                Encrypted:false
                                SSDEEP:48:MxHKiHKYHmYHKh3ogLHitHo6hAHKzebHqHG1qHDJHTHKMHA:iqiqYGYqh3ogLCtI6eqzsKmwVzqMg
                                MD5:F23AEC62DD40C37DA462CA3E4D8C86E6
                                SHA1:44A3989CB3C32A602670851EF6DE2109A089938B
                                SHA-256:4EE82BCC43E258BAD24289463C2163C28A6F982A41AC50751E11A9E78EF34818
                                SHA-512:8B622E94A1B6D08978914E6F246449B6CBEC2EE76AE8DF821075B18431404F62B6521D36B0577FFE425AE960645DDC30B1AE2403C0C41717630372E16E09AE32
                                Malicious:true
                                Reputation:low
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.880753879295548
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:LMm6yxQtcf.exe
                                File size:5'013'292 bytes
                                MD5:49e51c7694ea172c357db1cabd2300b7
                                SHA1:ec874a5836119b7b82aa8ba50e0410bed0e51a8f
                                SHA256:f8323b929f41ccf03233ed133d14d3b8d4e44ce842db4abf744f7cc96dd8d841
                                SHA512:dd4602c1ed61cc3ac183c2f3a5c9ca953d07743dd55712538354d8ad320a26a9b2caaffa4a180f3bebbd3d711af192c27c54bafca1def6d86dcdd01d45bb3c0c
                                SSDEEP:98304:As7M0OgNgIIrtBYkogenta2XPDnjHb/CCYm976hRH+2oDhs8AvFEm0y:v7lOcvQt7ogeV7nHCJml6HH5qE9c
                                TLSH:BA36231BBA168941C2946B37C59F51045778DB81236BEB0D78C927EA08633BFE84F64F
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.t...............0.................. ...@....@.. ....................... ........L...`................................

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0xf0e000
                                Entrypoint Section:.taggant
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0xBF741A23 [Wed Oct 14 14:05:23 2071 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:4328f7206db519cd4e82283211d98e83

                                Authenticode Signature

                                Signature Valid:false
                                Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                Signature Validation Error:The digital signature of the object did not verify
                                Error Number:-2146869232
                                Not Before, Not After
                                • 12/05/2022 22:46:02 11/05/2023 22:46:02
                                Subject Chain
                                • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                Version:3
                                Thumbprint MD5:D03E1ED3E72F64CC6C5A636BE32C29AD
                                Thumbprint SHA-1:97221B97098F37A135DCC212E2B41E452BCE51F2
                                Thumbprint SHA-256:AAE358FD90D5500110EE8BF3BD2C668F834559710DA7D75C266018BB9506F2F6
                                Serial:33000002CDF364BFF8D44C5D510000000002CD

                                Entrypoint Preview

                                Instruction
                                jmp 00007EFFC07E05EAh
                                wrmsr
                                dec esp
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edi], cl
                                sub eax, 01000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], cl
                                add dword ptr [eax], eax
                                add byte ptr [eax], al
                                or eax, dword ptr [ebx+00h]
                                add dword ptr [eax], eax
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6803a0x50.imports
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000xa80.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x4c50140x2f18.themida
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x620000x60600ab6f98e07e44bc34c4dda69368dc80e1False0.4584827942607004SysEx File -5.931039177166276IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                0x640000x5900x288eca90b3c03b067ca15aa0cf3f8e991fcFalse1.0169753086419753data7.585830734854682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                0x660000xc0xfdcec01ac5a13f93c73da7e4c95983a67False1.6data3.906890595608518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                .imports0x680000x20000x200c59a21b8569552638f4f2a8d846fbe57False0.16796875data1.1405531534676816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x6a0000x20000xc00d6ba8a6642cb692968346f00b3efb802False0.3463541666666667data4.673291671683264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .themida0x6c0000x6400000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .boot0x6ac0000x4612000x4612008f70613658d40772bd311a5f526638cbunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .taggant0xb0e0000x22000x2014a6bb36a27ce1383ed48f73ac7263ee4cFalse0.09072089624939113DOS executable (COM)0.9676940379095681IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x6a0b00x304data0.4339378238341969
                                RT_MANIFEST0x6a3c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5489795918367347
                                RT_MANIFEST0x6a5c00x4c0XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1156), with CRLF line terminatorsEnglishUnited States0.47368421052631576

                                Imports

                                DLLImport
                                kernel32.dllGetModuleHandleA
                                mscoree.dll_CorExeMain

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 5, 2024 18:18:49.231070995 CET4971580192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:49.350866079 CET8049715208.95.112.1192.168.2.10
                                Dec 5, 2024 18:18:49.351017952 CET4971580192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:49.351361036 CET4971580192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:49.471987963 CET8049715208.95.112.1192.168.2.10
                                Dec 5, 2024 18:18:50.447510958 CET8049715208.95.112.1192.168.2.10
                                Dec 5, 2024 18:18:50.497365952 CET4971580192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:52.233573914 CET4972180192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:52.233875036 CET4971580192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:52.353261948 CET8049721208.95.112.1192.168.2.10
                                Dec 5, 2024 18:18:52.353368044 CET4972180192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:52.353528023 CET4972180192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:52.354182959 CET8049715208.95.112.1192.168.2.10
                                Dec 5, 2024 18:18:52.354243994 CET4971580192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:52.473354101 CET8049721208.95.112.1192.168.2.10
                                Dec 5, 2024 18:18:53.453075886 CET8049721208.95.112.1192.168.2.10
                                Dec 5, 2024 18:18:53.497360945 CET4972180192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:53.947896957 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.067590952 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.067666054 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.068747997 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.069437027 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.083075047 CET4972180192.168.2.10208.95.112.1
                                Dec 5, 2024 18:18:54.188672066 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.188723087 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189446926 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.189486980 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.189517975 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189549923 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189641953 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.189686060 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.189686060 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189728975 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189802885 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.189841032 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.189848900 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189879894 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189929008 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.189971924 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.189979076 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.190025091 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.190053940 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.190097094 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.310349941 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.310451031 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.311346054 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.311357021 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.311410904 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.311420918 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.311511993 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.311558962 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.311714888 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.311784983 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.354311943 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.354410887 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.479813099 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.479938984 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.526319981 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.642250061 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.645044088 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:54.846282959 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:54.847855091 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:55.090317011 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:55.091044903 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:55.334352016 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:55.334408045 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:55.578294039 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:55.578396082 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:55.826396942 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:55.826513052 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:56.071310997 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:56.071372032 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:56.314352989 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:56.314630985 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:56.558309078 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:56.559655905 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:56.802331924 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:56.802453995 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:57.046286106 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:57.046466112 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:57.294260979 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:57.294979095 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:57.542236090 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:57.542285919 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:57.782223940 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:57.782275915 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:58.026252985 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:58.026318073 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:58.266247988 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:58.266345024 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:58.506370068 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:58.506582022 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:58.750267982 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:58.750322104 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:58.994568110 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:58.994618893 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:59.242234945 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:59.242305040 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:59.544265985 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:59.557988882 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:59.558063984 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:59.768733025 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:59.775381088 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:59.775450945 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:18:59.978343964 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:18:59.978410006 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:00.218410015 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:00.218486071 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:00.462266922 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:00.462337017 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:00.706237078 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:00.706717014 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:00.950345993 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:00.950453043 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:01.194556952 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:01.194633007 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:01.438338995 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:01.438427925 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:01.682384014 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:01.682558060 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:01.926198006 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:01.926286936 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:02.166333914 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:02.167104959 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:02.410538912 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:02.410595894 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:02.658267975 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:02.658322096 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:02.902295113 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:02.902354956 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:03.146298885 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:03.146359921 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:03.386276960 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:03.386413097 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:03.630314112 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:03.632245064 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:03.874280930 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:03.874488115 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:04.118304968 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:04.121097088 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:04.362333059 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:04.362493992 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:04.606287003 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:04.606395006 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:04.846282005 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:04.846455097 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:05.094301939 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:05.094368935 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:05.338267088 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:05.338324070 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:05.578362942 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:05.578471899 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:05.822288036 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:05.822494984 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:06.070333004 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:06.070437908 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:06.318243980 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:06.318325043 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:06.562340975 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:06.563981056 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:06.810679913 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:06.811472893 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:07.058314085 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:07.058451891 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:07.302463055 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:07.302524090 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:07.546473980 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:07.546658993 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:07.790345907 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:07.790586948 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:08.034408092 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:08.034483910 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:08.278322935 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:08.278434992 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:08.522332907 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:08.522444963 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:08.766329050 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:08.766449928 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:09.006277084 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:09.006455898 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:09.250477076 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:09.250545025 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:09.494426012 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:09.494553089 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:09.738353014 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:09.738418102 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:09.979605913 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:09.979715109 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:10.226677895 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:10.226824999 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:10.470354080 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:10.470535994 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:10.718332052 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:10.718420029 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:10.958317995 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:10.958439112 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:11.198298931 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:11.198450089 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:11.438457012 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:11.438623905 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:11.682786942 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:11.685077906 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:11.926306009 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:11.926537037 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:12.166383028 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:12.169065952 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:12.410569906 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:12.410670042 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:12.658361912 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:12.658621073 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:12.906395912 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:12.906487942 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:13.154439926 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:13.154525042 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:13.415329933 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:13.415487051 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:13.658606052 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:13.658883095 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:13.902414083 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:13.902575970 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:14.146454096 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:14.146560907 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:14.390532970 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:14.390671015 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:14.635385990 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:14.635499954 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:14.884810925 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:14.885070086 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:15.126437902 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:15.126682043 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:15.370378017 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:15.370456934 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:15.614341974 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:15.614521980 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:15.858366013 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:15.858535051 CET497275555192.168.2.105.42.92.0
                                Dec 5, 2024 18:19:15.957359076 CET5555497275.42.92.0192.168.2.10
                                Dec 5, 2024 18:19:15.978579044 CET5555497275.42.92.0192.168.2.10

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 5, 2024 18:18:49.088661909 CET5494253192.168.2.101.1.1.1
                                Dec 5, 2024 18:18:49.225924969 CET53549421.1.1.1192.168.2.10

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 5, 2024 18:18:49.088661909 CET192.168.2.101.1.1.10x3cf8Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 5, 2024 18:18:49.225924969 CET1.1.1.1192.168.2.100x3cf8No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.1049715208.95.112.1807956C:\Users\user\Desktop\LMm6yxQtcf.exe
                                TimestampBytes transferredDirectionData
                                Dec 5, 2024 18:18:49.351361036 CET97OUTGET /json/ HTTP/1.1
                                Content-Type: application/json
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Dec 5, 2024 18:18:50.447510958 CET483INHTTP/1.1 200 OK
                                Date: Thu, 05 Dec 2024 17:18:49 GMT
                                Content-Type: application/json; charset=utf-8
                                Content-Length: 306
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 7d
                                Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.228"}


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.1049721208.95.112.1807956C:\Users\user\Desktop\LMm6yxQtcf.exe
                                TimestampBytes transferredDirectionData
                                Dec 5, 2024 18:18:52.353528023 CET97OUTGET /json/ HTTP/1.1
                                Content-Type: application/json
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Dec 5, 2024 18:18:53.453075886 CET483INHTTP/1.1 200 OK
                                Date: Thu, 05 Dec 2024 17:18:53 GMT
                                Content-Type: application/json; charset=utf-8
                                Content-Length: 306
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 7d
                                Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.228"}


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:5
                                Start time:12:18:39
                                Start date:05/12/2024
                                Path:C:\Users\user\Desktop\LMm6yxQtcf.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\LMm6yxQtcf.exe"
                                Imagebase:0xee0000
                                File size:5'013'292 bytes
                                MD5 hash:49E51C7694EA172C357DB1CABD2300B7
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.1268602080.0000000000EE2000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.1409671773.0000000004271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >