Edit tour

Windows Analysis Report
capt1cha.exe

Overview

General Information

Sample name:	capt1cha.exe
Analysis ID:	1631995
MD5:	032f2e9ef6b95a08483283d3901e25b4
SHA1:	8c3390a9ab98f36c3202c83eec3ba10c25b67eb7
SHA256:	b18c61d9c5e8375d870516f616d1145a4496411c1b914f692620973decf8688a
Tags:	exeuser-aachum
Infos:

Detection

Score:	92
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Multi AV Scanner detection for submitted file

Joe Sandbox ML detected suspicious sample

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sigma detected: Browser Execution In Headless Mode

Sigma detected: Browser Started with Remote Debugging

Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

capt1cha.exe (PID: 1252 cmdline: "C:\Users\user\Desktop\capt1cha.exe" MD5: 032F2E9EF6B95A08483283D3901E25B4)

tasklist.exe (PID: 832 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 508 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5664 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 2888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6520 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1136 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4788 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 872 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5344 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6176 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3032 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5908 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6436 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6176 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4508 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 3952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5956 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7220 cmdline: "tasklist" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7652 cmdline: "taskkill" /F /IM discord.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7708 cmdline: "tasklist" /FI "IMAGENAME eq msedge.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7716 cmdline: "tasklist" /FI "IMAGENAME eq chrome.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 7820 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8100 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2080 --field-trial-handle=1452,i,9008779610849694314,4242886108634219008,262144 --disable-features=PaintHolding /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

chrome.exe (PID: 7828 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8480 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 8180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --no-pre-read-main-dll --field-trial-handle=2092,i,3451624109008190827,1165491758054830447,262144 --disable-features=PaintHolding --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2144 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

tasklist.exe (PID: 3044 cmdline: "tasklist" /FI "IMAGENAME eq chrome.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4000 cmdline: "taskkill" /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5048 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4976 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 4968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4916 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6828 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 1604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7656 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7748 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7772 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7348 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3232 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2016 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 3256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1744 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 2564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7876 cmdline: "tasklist" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: capt1cha.exe PID: 1252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.capt1cha.exe.7ff76ec40000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potential Data Stealing Via Chromium Headless Debugging

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized, CommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, NewProcessName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, OriginalFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, ParentCommandLine: "C:\Users\user\Desktop\capt1cha.exe", ParentImage: C:\Users\user\Desktop\capt1cha.exe, ParentProcessId: 1252, ParentProcessName: capt1cha.exe, ProcessCommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized, ProcessId: 7820, ProcessName: msedge.exe

Sigma detected: Browser Execution In Headless Mode

Source: Process started

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized, CommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, NewProcessName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, OriginalFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, ParentCommandLine: "C:\Users\user\Desktop\capt1cha.exe", ParentImage: C:\Users\user\Desktop\capt1cha.exe, ParentProcessId: 1252, ParentProcessName: capt1cha.exe, ProcessCommandLine: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized, ProcessId: 7820, ProcessName: msedge.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: capt1cha.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/logV	Avira URL Cloud: Label: malware
Source: https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/log	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: capt1cha.exe	Virustotal: Detection: 65%			Perma Link
Source: capt1cha.exe	ReversingLabs: Detection: 52%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: capt1cha.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: prysmax.pdb source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp

Source: chrome.exe

Memory has grown: Private usage: 6MB later: 38MB

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1accept: */*host: ipwhois.app

Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.67
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.67
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.67
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.67
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.185.67
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1accept: /host: ipwhois.app
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: tools.google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ipwhois.app

Source: capt1cha.exe, 00000000.00000003.1560312061.000001AD4F311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: capt1cha.exe, 00000000.00000003.1560312061.000001AD4F311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: capt1cha.exe, 00000000.00000003.1560312061.000001AD4F311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
Source: capt1cha.exe, 00000000.00000003.1560312061.000001AD4F311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: capt1cha.exe, 00000000.00000003.1560312061.000001AD4F2EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt=q
Source: temp_cards_1795881575.db.0.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: capt1cha.exe, 00000000.00000003.1560544381.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: capt1cha.exe, 00000000.00000003.1560544381.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.ipify.org?format=json
Source: capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api.ipify.org?format=jsonxi
Source: temp_cards_1795881575.db.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: temp_cards_1795881575.db.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: temp_cards_1795881575.db.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: temp_cards_1795881575.db.0.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwhois.app/json/
Source: capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipwhois.app/json/0
Source: capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipwhois.app/json/TEMPPrysmax
Source: capt1cha.exe, 00000000.00000003.1702232848.000001AD4F308000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705156584.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1700084435.000001AD4F300000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwhois.app/json/ist.exea
Source: capt1cha.exe, 00000000.00000003.1702232848.000001AD4F308000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705156584.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1700084435.000001AD4F300000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwhois.app/json/ist.exeaeata
Source: capt1cha.exe, 00000000.00000003.1702232848.000001AD4F308000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705156584.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1700084435.000001AD4F300000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipwhois.app/json/st_aeD
Source: capt1cha.exe, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D45E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/log
Source: capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D45E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/logV
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/logexpected
Source: capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716

Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@123/10@15/4

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\chrome_debug.log

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3256:120:WilError_03

Source: C:\Users\user\Desktop\capt1cha.exe

File created: C:\Users\user\AppData\Local\Temp\Prysmax

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "discord.exe")
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'MSEDGE.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CHROME.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CHROME.EXE'
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'MSEDGE.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\capt1cha.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: tasklist.exe, 00000018.00000002.1255220261.000002C030B25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process32;^=
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: capt1cha.exe, 00000000.00000003.1396352495.000001AD4D487000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1392153515.000001AD4D470000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1392266710.000001AD4D487000.00000004.00000020.00020000.00000000.sdmp, temp_login_1949023805.db.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: capt1cha.exe	Virustotal: Detection: 65%
Source: capt1cha.exe	ReversingLabs: Detection: 52%

Source: capt1cha.exe

String found in binary or memory: --start-minimizedCookienamevaluedomainpathexpireshttpOnlysecuresession

Source: unknown	Process created: C:\Users\user\Desktop\capt1cha.exe "C:\Users\user\Desktop\capt1cha.exe"
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FO CSV /NH
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM discord.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq msedge.exe"
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq chrome.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8480 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2080 --field-trial-handle=1452,i,9008779610849694314,4242886108634219008,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --no-pre-read-main-dll --field-trial-handle=2092,i,3451624109008190827,1165491758054830447,262144 --disable-features=PaintHolding --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2144 /prefetch:3
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq chrome.exe"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"
Source: C:\Windows\System32\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FO CSV /NH	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM discord.exe	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8480 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2080 --field-trial-handle=1452,i,9008779610849694314,4242886108634219008,262144 --disable-features=PaintHolding /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --no-pre-read-main-dll --field-trial-handle=2092,i,3451624109008190827,1165491758054830447,262144 --disable-features=PaintHolding --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2144 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: perfos.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\capt1cha.exe

Process created: C:\Windows\System32\tasklist.exe "tasklist"

Source: capt1cha.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: capt1cha.exe

Static file information: File size 2806784 > 1048576

Source: capt1cha.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x2ac800

Source: capt1cha.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: prysmax.pdb source: capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\capt1cha.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\capt1cha.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Source: C:\Users\user\Desktop\capt1cha.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature

Source: C:\Users\user\Desktop\capt1cha.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processorllsp
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionll
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D426000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F58B000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: capt1cha.exe, 00000000.00000003.1541488525.000001AD4F159000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1540904732.000001AD4F159000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costick bb
Source: capt1cha.exe, 00000000.00000003.1549824947.000001AD4D4ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipesnsc
Source: capt1cha.exe, 00000000.00000003.1539704238.000001AD4D4F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Ro
Source: capt1cha.exe, 00000000.00000003.1560312061.000001AD4F2EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisori
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processordlls
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ubofaqvhsupwiqp Bus
Source: capt1cha.exe, 00000000.00000002.1704553251.000001AD4F126000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1700559357.000001AD4F126000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partition
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: capt1cha.exe, 00000000.00000003.1540565805.000001AD4F143000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1541180240.000001AD4F143000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: capt1cha.exe, 00000000.00000003.1560544381.000001AD4F35A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\machine.inf_loc
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root PartitioneN
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor`w
Source: capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D45E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipess
Source: capt1cha.exe, 00000000.00000003.1549110802.000001AD4D4EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: capt1cha.exe, 00000000.00000003.1540871912.000001AD4F13B000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1540228512.000001AD4F138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequenc
Source: capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotomain)
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root PartitioneL
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorH
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partition.dllv
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesnp
Source: capt1cha.exe, 00000000.00000003.1541488525.000001AD4F159000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1540904732.000001AD4F159000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1539769252.000001AD4F159000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Process
Source: capt1cha.exe, 00000000.00000003.1540412986.000001AD4F1E9000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1541111979.000001AD4F1E9000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1539176715.000001AD4F1E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Pro
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisors
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processoryu
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid PartitionQs(
Source: capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D45E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus PipesJ
Source: capt1cha.exe, 00000000.00000002.1704264716.000001AD4D461000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703513140.000001AD4D460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorPQ
Source: capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D45E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition)
Source: capt1cha.exe, 00000000.00000003.1542391000.000001AD4F171000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1541784445.000001AD4F143000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1541880221.000001AD4F169000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls)
Source: capt1cha.exe, 00000000.00000003.1703268920.000001AD4D4A2000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1703196776.000001AD4D495000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704418071.000001AD4D4A3000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D491000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ubofaqvhsupwiqp Bus PipesdK

Source: C:\Users\user\Desktop\capt1cha.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\capt1cha.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FO CSV /NH	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM discord.exe	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq msedge.exe"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8480 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist" /FI "IMAGENAME eq chrome.exe"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\tasklist.exe "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM discord.exe			Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Process created: C:\Windows\System32\taskkill.exe "taskkill" /F /IM chrome.exe			Jump to behavior

Source: capt1cha.exe, 00000000.00000003.1559790278.000001AD4F2FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Program Files\Google\Chrome\Application\chrome.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AmountExtractionHeuristicRegexes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\FirstPartySetsPreloaded VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\segmentation_platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Minecraft_Java VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Lunar_Client VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Epic_Games VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Minecraft_Bedrock VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Valorant VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Steam VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Growtopia VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Ubisoft_Connect VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax\Games\Rockstar_Social_Club VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Prysmax VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lnbpcjohmfbhjgfjmipfmelkhggmhpnm	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bjofoeidpgaemhjphodclfladpkbfjbb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hbcjdhmhafcddgbgfmolpmbjdpccblop	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlpjfgbghbphogmdnmkjmjjpfijgnjfb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Maxthon\Application\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\piibdpjdcjlnagldghkbjmnpgncfmnkc	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpcfgclhklcjmnljjdjlobpjppadpgpn	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ajphlblpdflpbalhddmpcfamdfjoomlo	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Blisk\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\foelmdlhbpafabodfgpikjmbnpfkflpl	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Avira\Browser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpdkmhcfhhadbcfhladgbkpmhmlgfccc	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdpjdgfdjmpbkjmefhhjfjjhfnmfndgf	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chccpdbmlmjmjfohdpfkdlkophdbbake	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbhedckkdoklflmbjfcjbpdomeebmmhp	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmfnghfgbeogfnnpnjafocgimjbplnbg	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckjknflgookocgpcffkoghdpebdjbgjb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pbcoeakecjbfhdnckkbplgleedkhmial	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\goafglolcnggfppbhhaoplnbmlpcfhgc	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Slimjet\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kfmhfjkllgocnmpimkkcljlmbloboccm	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\faofihjfemlkdhhpnggafmnlfdkmgmhk	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhakmnfohnppecdpdeejgebllngjknbg	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abnbppgpgfgiebdpoljllabbgpfkhjnp	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pgjlagjpmejpoaemggdlnldlbekcfbim	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kljbbekmokhihdfbpmmcbikjdmdpddfg	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iiooeenphgnfgmbmfdjofeifjjhgcfhb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdljgoopglnogpffgglhmikeifgfojpf	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Iridium\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnpgaiklhgkgkkjkkiklbjkdgiinpke	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\SRWare Iron\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnkpkbcmngmgfpjakgfccphjfdcllnkg	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheioajjhnpekbkpgnncfgejpgli	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\maoccknpflbdbeoimklhpdokmijjcbdg	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gafpfdecljlbgpkbmjnifmfjkgbgfkcl	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fegphgklbihggoeamnmgfkgphkbefofo	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ecpnpejnpliponokjlolcbpejjhlneeg	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bdcafkkfigrdcngfmbabpoenhgogldmd	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jfiihjeoihilkdlndlooppohkiglfape	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gnomdcenhanheodjigbejioadkpojnke	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hjipfcgkglkojcnhbjmhcdoeicccnkoj	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnnjbpoomgphhmdbjmeplnfofphmjhlk	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\AVAST Software\Browser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgpcophpppdhmgojpdjhejkbelpkbpgj	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onbfegendakgjfhkhkbhlolcfjnlhdfb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfplfkhihbhgaffphdfbgoajhdjbjeck	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abkheeeomgdbibdjganfbbdeglafkmgk	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hlgfnfeklcjgpchjlepcjlcjdbbbjdhl	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\UCBrowser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bbdlofgfjokmjclkbmhldlhicbjmboik	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egogehnmfbjpkmnnggnpejgbjmclgllg	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior

Source: C:\Users\user\Desktop\capt1cha.exe	File opened / queried: C:\Users\user\AppData\Roaming\.minecraft			Jump to behavior
Source: C:\Users\user\Desktop\capt1cha.exe	File opened / queried: C:\Users\user\AppData\Roaming\.minecraft			Jump to behavior

Source: Yara match	File source: 0.2.capt1cha.exe.7ff76ec40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: capt1cha.exe PID: 1252, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\capt1cha.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	12 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	21 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	3 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	12 Process Injection	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
capt1cha.exe	65%	Virustotal		Browse
capt1cha.exe	53%	ReversingLabs	Win32.Trojan.Generic
capt1cha.exe	100%	Avira	TR/PSW.Agent.tmith

Source	Detection	Scanner	Label	Link
https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/logV	100%	Avira URL Cloud	malware
https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/log	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipwhois.app	195.201.57.90	true	false	high
tools.l.google.com	142.250.185.174	true	false	high
www.google.com	142.250.186.68	true	false	high
tools.google.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipwhois.app/json/ist.exea	capt1cha.exe, 00000000.00000003.1702232848.000001AD4F308000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705156584.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1700084435.000001AD4F300000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	false		high
https://ipwhois.app/json/	capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipwhois.app/json/st_aeD	capt1cha.exe, 00000000.00000003.1702232848.000001AD4F308000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705156584.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1700084435.000001AD4F300000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	false		high
https://api.ipify.org?format=jsonxi	capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	false		high
https://duckduckgo.com/ac/?q=	temp_cards_1795881575.db.0.dr	false		high
https://duckduckgo.com/chrome_newtabv20	capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	false		high
https://api.ipify.org?format=json	capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	false		high
https://docs.rs/getrandom#nodejs-es-module-support	capt1cha.exe, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	temp_cards_1795881575.db.0.dr	false		high
https://ac.ecosia.org?q=	temp_cards_1795881575.db.0.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	capt1cha.exe, 00000000.00000003.1394287133.000001AD4D4CA000.00000004.00000020.00020000.00000000.sdmp, temp_cards_1795881575.db.0.dr	false		high
https://ipwhois.app/json/ist.exeaeata	capt1cha.exe, 00000000.00000003.1702232848.000001AD4F308000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705156584.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1700084435.000001AD4F300000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1699537164.000001AD4F2E0000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1702705141.000001AD4F30D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/log	capt1cha.exe, capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D45E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ipwhois.app/json/TEMPPrysmax	capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	false		high
https://panelonoaltanlyanlsaydprysmaxwebnasodaskfoa.digital/api/logV	capt1cha.exe, 00000000.00000003.1702990607.000001AD4D45C000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000003.1564418934.000001AD4F5BC000.00000004.00000020.00020000.00000000.sdmp, capt1cha.exe, 00000000.00000002.1704172602.000001AD4D45E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ipwhois.app/json/0	capt1cha.exe, 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	temp_cards_1795881575.db.0.dr	false		high
https://gemini.google.com/app?q=	temp_cards_1795881575.db.0.dr	false		high
https://aka.ms/Vh5j3k	capt1cha.exe, 00000000.00000003.1560544381.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/odirm	capt1cha.exe, 00000000.00000003.1560544381.000001AD4F30E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States		15169	GOOGLEUS	false
195.201.57.90	ipwhois.app	Germany		24940	HETZNER-ASDE	false

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631995
Start date and time:	2025-03-07 18:18:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	77
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	capt1cha.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@123/10@15/4
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 199.232.214.172, 142.250.186.99, 142.250.185.142, 74.125.206.84, 216.58.206.78, 142.250.185.174, 216.58.206.46
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.201.57.90	sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Flash_USDT_Sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Flash_USDT_Sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	SPt4FUjZMt.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLine	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	WfKynArKjH.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, RedLine	Browse	/?output=json
	ubes6SC7Vd.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/xml/
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwhois.app	NrFs9S2x5P.vbs	Get hash	malicious	MoDiRAT	Browse	195.201.57.90
	4GkyooSSU6.vbs	Get hash	malicious	MoDiRAT	Browse	195.201.57.90
	8FPbFaueUE.vbs	Get hash	malicious	MoDiRAT	Browse	195.201.57.90
	PBuqd1KwaW.vbs	Get hash	malicious	MoDiRAT	Browse	195.201.57.90
	GN69N6xL96.vbs	Get hash	malicious	MoDiRAT	Browse	195.201.57.90
	Irdff95nUE.exe	Get hash	malicious	MoDiRAT	Browse	195.201.57.90
	Irdff95nUE.exe	Get hash	malicious	MoDiRAT	Browse	195.201.57.90
	captcha.exe	Get hash	malicious	PRYSMAX STEALER	Browse	195.201.57.90
	SecuriteInfo.com.Win64.MalwareX-gen.24714.14996.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	cf.hta	Get hash	malicious	Unknown	Browse	195.201.57.90
tools.l.google.com	https://starkiss.hu/	Get hash	malicious	Unknown	Browse	142.250.181.238
	https://evening-ivy-save.glitch.me/	Get hash	malicious	Unknown	Browse	142.250.184.238
	https://chromeenterprise.google/download/	Get hash	malicious	Unknown	Browse	216.58.212.142
	index.html	Get hash	malicious	Unknown	Browse	172.217.168.46
	http://heraldoffers.com	Get hash	malicious	Unknown	Browse	142.250.184.238
	Circular_no_088_Annexure_pdf.html	Get hash	malicious	HTMLPhisher	Browse	142.250.186.78
	RTGS_UCB_DCCB_docx.html	Get hash	malicious	HTMLPhisher	Browse	142.250.185.110
	https://apps.twc.texas.gov/UITAXSERV/security/logon.do	Get hash	malicious	Unknown	Browse	142.250.185.78
	Gestion-IMMO juillet (4) (1).pdf	Get hash	malicious	Unknown	Browse	142.250.184.206
	chrome.html	Get hash	malicious	Unknown	Browse	172.217.23.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	awb_post_dhl_delivery_documents_pdf.vbs	Get hash	malicious	XWorm	Browse	49.12.134.146
	a3mJZekUZC.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	Confirmation number 0001592289.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	SWIFT COPY.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	skf7iF4.bat	Get hash	malicious	Unknown	Browse	195.201.57.90
	Confirmation number 0001592289.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	SWIFT COPY.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	Confirmation number 0001592289.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	SWIFT COPY.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	NEW__Review_202591760.svg	Get hash	malicious	Invisible JS	Browse	204.79.197.222
	SecuriteInfo.com.Win32.RATX-gen.5196.22979.exe	Get hash	malicious	XWorm	Browse	204.79.197.222
	https://www.logisticsacp.com/	Get hash	malicious	Unknown	Browse	204.79.197.222
	GGP_DOCUMENTO CITACION AUDIENCIA_GGP.svg	Get hash	malicious	AsyncRAT, DcRat	Browse	204.79.197.222
	http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion	Get hash	malicious	Unknown	Browse	204.79.197.222
	U0443.pdf.js	Get hash	malicious	RMSRemoteAdmin	Browse	204.79.197.222
	bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1	Get hash	malicious	LummaC Stealer	Browse	204.79.197.222
	https://graph.org/WBACK-03-06?qb3n	Get hash	malicious	Unknown	Browse	204.79.197.222
	PBuqd1KwaW.vbs	Get hash	malicious	MoDiRAT	Browse	204.79.197.222
	https://www.webfun.website/landingpages/12b78f40-24f5-43af-abe3-db66cd6cb5d9/vUeSTvYy3G3_2duuMOjHtb2p0eu4NcJoZuBBhllCb7k	Get hash	malicious	HTMLPhisher	Browse	204.79.197.222
3b5074b1b5d032e5620f69f9f700ff0e	Lead.Upload.Report.Feb.2025.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	awb_post_dhl_delivery_documents_pdf.vbs	Get hash	malicious	XWorm	Browse	195.201.57.90
	Damage product 3.vbs	Get hash	malicious	AsyncRAT, Batch Injector, VenomRAT	Browse	195.201.57.90
	a3mJZekUZC.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	skf7iF4.bat	Get hash	malicious	Unknown	Browse	195.201.57.90
	ImglZsXSwr.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	195.201.57.90
	georgefloyd.bat	Get hash	malicious	XWorm	Browse	195.201.57.90
	cf_verif.ps1	Get hash	malicious	Unknown	Browse	195.201.57.90
	0J5R54fzDJ.ps1	Get hash	malicious	Unknown	Browse	195.201.57.90
	Update.exe	Get hash	malicious	Unknown	Browse	195.201.57.90

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	0.7403664744478247
Encrypted:	false
SSDEEP:	3:FiWXlv9U:Lv
MD5:	99BBE027A67D5B8E84C910F7C77709D2
SHA1:	372EFA7431F8EECFC4247C810131CB6928E50AC3
SHA-256:	0F27051CF1DA3BBA983425A45ED2DE291E43491E0A982844D92C5B92AF34FCAE
SHA-512:	E3970DEFF941FE95016F731651C7C234FF4AD27B54317BE44B4292F050E2A4B9ACACFF103837ADFC94999F9B534098231204C26D9BBDF47412CFE09C50F77BE7
Malicious:	false
Preview:	sdPC......................5.y&.K.?....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\DevToolsActivePort

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	59
Entropy (8bit):	4.403687439765546
Encrypted:	false
SSDEEP:	3:RsdKSuypSfB1xNlzz:aI5xdH
MD5:	7486EC50B3F862D72B0C2DE69C0A0240
SHA1:	3EFCBE8C513F1945C7B43C0ADE5329851D52F273
SHA-256:	C7A95445319F2B85B2CA1AF33283A982B40A18C2395699569C46B336DF7999DF
SHA-512:	B66D767F501490CC274A2AAA1572CAAD62C8D52DFA75C05CB61985A8AC3853D7B13DCAECA5DF59FE3F7026BD3BB1EB91228F22466256EE79199E484A0C39B95D
Malicious:	false
Preview:	8481./devtools/browser/61767ebb-8a7c-40a6-833c-5201bcb8e324

C:\Users\user\AppData\Local\Temp\temp_cards_1394137168.db

Download File

Process:	C:\Users\user\Desktop\capt1cha.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_cards_1795881575.db

Download File

Process:	C:\Users\user\Desktop\capt1cha.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_history_2960040337.db

Download File

Process:	C:\Users\user\Desktop\capt1cha.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_history_4167587886.db

Download File

Process:	C:\Users\user\Desktop\capt1cha.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, file counter 6, database pages 41, 1st free page 29, free pages 1, cookie 0x25, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	0.4792253015780342
Encrypted:	false
SSDEEP:	96:xWpdkG7xQ+ALqL/uejzH+bF+UIYysX0lj/twfLyl0e9S8E:ApdkG77IqL/tH+bF+UI3i67Kylj9
MD5:	33642526D21BAF34FB5D5AAF11B3FB91
SHA1:	A64B4A7605D8B449C085474A3484921975EF6C14
SHA-256:	3ED06184837C7FF625C54589CA2037F127E0525E3541DE8960A9D5503625862B
SHA-512:	A013359FCBAC1005653793D3FF6398E32746E2F6FFCDA26AA3C9EB96279F7A2E989E05B5B8D2510EAF5F93DDD6281A71773DA81C472FCC71AD74315353948782
Malicious:	false
Preview:	SQLite format 3......@ .......)...........%......................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_login_1057773111.db

Download File

Process:	C:\Users\user\Desktop\capt1cha.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp_login_1949023805.db

Download File

Process:	C:\Users\user\Desktop\capt1cha.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	99
Entropy (8bit):	4.873177429167396
Encrypted:	false
SSDEEP:	3:y2MKJCJMyPfRUWs7N2RKSuypSfB1xNlzGn:fYMyRUt2K5xdS
MD5:	A139BDA01A0A297DDE4291B0CB770A4D
SHA1:	564DC69E7349A248C1365C84DCDCDCFFA84D493D
SHA-256:	1571C9C7FEB586B56AF677A7ABFDD05AB93C18A246F9D1313B4F12AC8D018945
SHA-512:	50EF035A14BF138D95EEB81CC654953A67D3F474C6A28C2CDB7DC9424F1A7109C0112416C7482B162D8DB5C63151EFDC941E25EA6AC5B84C339E3F62B0427C42
Malicious:	false
Preview:	..DevTools listening on ws://127.0.0.1:8481/devtools/browser/61767ebb-8a7c-40a6-833c-5201bcb8e324..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.930932831491414
TrID:	Win64 Executable GUI (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	capt1cha.exe
File size:	2'806'784 bytes
MD5:	032f2e9ef6b95a08483283d3901e25b4
SHA1:	8c3390a9ab98f36c3202c83eec3ba10c25b67eb7
SHA256:	b18c61d9c5e8375d870516f616d1145a4496411c1b914f692620973decf8688a
SHA512:	8cec41284bfe1c841316a081df8f9b75ebb3e2b44741468bd3883987a3607a19011b426f367810ae0829395c8a06c26a8985ed5a34d3aa97bfb65c179e7dcdf9
SSDEEP:	49152:usd2DZXG0/aEH/GUGB8BgZDR8OF1HmHe/STHPqC:D2lxaEEB8BgZlz1GH7
TLSH:	ADD533C18B7368E2E46BC0B1B7A06386025DE09EF6C3D03B5F5E8617B0BD9D44A9C56D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wT8.35V.35V.35V.xMU.85V.xMS..5V.xMR.?5V.".U.:5V.".R.#5V.".S..5V.35W.P4V...R..5V.35V..4V.....25V...T.25V.Rich35V................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14081f230
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67A4E936 [Thu Feb 6 16:54:14 2025 UTC]
TLS Callbacks:	0x4081f4d5, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fda4c3ab64ebe4f2a09bfbaa10a60a3a

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFD53DC5h]
dec eax
lea edi, dword ptr [esi-00572000h]
dec eax
lea eax, dword ptr [edi+007C3408h]
push dword ptr [eax]
mov dword ptr [eax], 6705FFF9h
push eax
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F2DBC7F1B05h
add ebx, ebx
je 00007F2DBC7F1AB4h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F2DBC7F1AD3h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F2DBC7F1ACDh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F2DBC7F1AA1h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F2DBC7F1AC2h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F2DBC7F1AA2h
rep ret
cld
inc ecx
pop ebx
jmp 00007F2DBC7F1ABAh
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F2DBC7F1ABCh
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F2DBC7F1A98h
lea eax, dword ptr [ecx+01h]
jmp 00007F2DBC7F1AB9h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F2DBC7F1ABCh
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F2DBC7F1A96h
sub eax, 03h
jc 00007F2DBC7F1ACBh
shl eax, 08h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x82020c	0x4a8	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x820000	0x20c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7c6000	0x42258	UPX1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8206b4	0x24	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x81f500	0x28	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x81f690	0x140	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x572000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x573000	0x2ad000	0x2ac800	ab0399010bef86c77cae4abb4d32e856	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x820000	0x1000	0x800	b46bf30c3a56709ea50faaf9f0c7e4b4	False	0.38671875	data	3.3830496132266217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x82005c	0x1b0	data	English	United States	0.5023148148148148

Imports

DLL	Import
advapi32.dll	CopySid
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress
bcrypt.dll	BCryptGenRandom
bcryptprimitives.dll	ProcessPrng
crypt32.dll	CertOpenStore
iphlpapi.dll	GetIfTable2
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
netapi32.dll	NetUserEnum
ntdll.dll	NtReadFile
ole32.dll	CoTaskMemFree
oleaut32.dll	VariantClear
pdh.dll	PdhCloseQuery
powrprof.dll	CallNtPowerInformation
psapi.dll	GetPerformanceInfo
secur32.dll	EncryptMessage
shell32.dll	CommandLineToArgvW
ws2_32.dll	bind

Version Infos

Description	Data
FileVersion	0.1.0
ProductName	credentials
FileDescription	credentials
ProductVersion	0.1.0
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 18:19:35.246049881 CET	49671	443	192.168.2.4	204.79.197.203
Mar 7, 2025 18:19:35.558315039 CET	49671	443	192.168.2.4	204.79.197.203
Mar 7, 2025 18:19:36.167701006 CET	49671	443	192.168.2.4	204.79.197.203
Mar 7, 2025 18:19:37.370822906 CET	49671	443	192.168.2.4	204.79.197.203
Mar 7, 2025 18:19:39.777092934 CET	49671	443	192.168.2.4	204.79.197.203
Mar 7, 2025 18:19:44.012451887 CET	49678	443	192.168.2.4	20.189.173.27
Mar 7, 2025 18:19:44.324006081 CET	49678	443	192.168.2.4	20.189.173.27
Mar 7, 2025 18:19:44.589706898 CET	49671	443	192.168.2.4	204.79.197.203
Mar 7, 2025 18:19:44.933702946 CET	49678	443	192.168.2.4	20.189.173.27
Mar 7, 2025 18:19:46.136651993 CET	49678	443	192.168.2.4	20.189.173.27
Mar 7, 2025 18:19:48.557555914 CET	49678	443	192.168.2.4	20.189.173.27
Mar 7, 2025 18:19:48.751719952 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:48.752945900 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:48.752985001 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:48.756884098 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:48.758024931 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:48.758035898 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:48.856237888 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:48.856430054 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:48.987421036 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:48.987514019 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:48.987709999 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:48.992666006 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:48.996177912 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:49.001224041 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:49.101293087 CET	443	49709	131.253.33.254	192.168.2.4
Mar 7, 2025 18:19:49.101392031 CET	49709	443	192.168.2.4	131.253.33.254
Mar 7, 2025 18:19:49.139265060 CET	49680	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:49.139723063 CET	49716	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:49.139767885 CET	443	49716	204.79.197.222	192.168.2.4
Mar 7, 2025 18:19:49.139842987 CET	49716	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:49.140005112 CET	49716	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:49.140014887 CET	443	49716	204.79.197.222	192.168.2.4
Mar 7, 2025 18:19:49.251024008 CET	49717	80	192.168.2.4	142.250.185.67
Mar 7, 2025 18:19:49.256140947 CET	80	49717	142.250.185.67	192.168.2.4
Mar 7, 2025 18:19:49.256339073 CET	49717	80	192.168.2.4	142.250.185.67
Mar 7, 2025 18:19:49.256438017 CET	49717	80	192.168.2.4	142.250.185.67
Mar 7, 2025 18:19:49.261477947 CET	80	49717	142.250.185.67	192.168.2.4
Mar 7, 2025 18:19:49.436958075 CET	49680	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:49.876765013 CET	80	49717	142.250.185.67	192.168.2.4
Mar 7, 2025 18:19:49.882457018 CET	49717	80	192.168.2.4	142.250.185.67
Mar 7, 2025 18:19:49.887512922 CET	80	49717	142.250.185.67	192.168.2.4
Mar 7, 2025 18:19:50.046340942 CET	49680	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:50.061994076 CET	80	49717	142.250.185.67	192.168.2.4
Mar 7, 2025 18:19:50.108834982 CET	49717	80	192.168.2.4	142.250.185.67
Mar 7, 2025 18:19:51.250581026 CET	49680	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:51.276842117 CET	443	49716	204.79.197.222	192.168.2.4
Mar 7, 2025 18:19:51.276947021 CET	49716	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:53.363616943 CET	49678	443	192.168.2.4	20.189.173.27
Mar 7, 2025 18:19:53.661029100 CET	49680	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:19:54.192827940 CET	49671	443	192.168.2.4	204.79.197.203
Mar 7, 2025 18:19:58.464999914 CET	49680	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:20:02.969310999 CET	49678	443	192.168.2.4	20.189.173.27
Mar 7, 2025 18:20:08.073973894 CET	49680	443	192.168.2.4	204.79.197.222
Mar 7, 2025 18:20:09.134852886 CET	49731	443	192.168.2.4	142.250.186.68
Mar 7, 2025 18:20:09.134898901 CET	443	49731	142.250.186.68	192.168.2.4
Mar 7, 2025 18:20:09.134968042 CET	49731	443	192.168.2.4	142.250.186.68
Mar 7, 2025 18:20:09.135346889 CET	49731	443	192.168.2.4	142.250.186.68
Mar 7, 2025 18:20:09.135361910 CET	443	49731	142.250.186.68	192.168.2.4
Mar 7, 2025 18:20:11.367027044 CET	443	49731	142.250.186.68	192.168.2.4
Mar 7, 2025 18:20:11.379100084 CET	49731	443	192.168.2.4	142.250.186.68
Mar 7, 2025 18:20:21.539992094 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:21.540091038 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:21.540193081 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:21.559966087 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:21.560048103 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:24.041753054 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:24.041826963 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:24.045238018 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:24.045253038 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:24.045489073 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:24.100104094 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:24.100471020 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:24.144328117 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:24.668905020 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:24.668988943 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:24.669059038 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:24.669606924 CET	49733	443	192.168.2.4	195.201.57.90
Mar 7, 2025 18:20:24.669661045 CET	443	49733	195.201.57.90	192.168.2.4
Mar 7, 2025 18:20:50.615848064 CET	49717	80	192.168.2.4	142.250.185.67
Mar 7, 2025 18:20:50.621264935 CET	80	49717	142.250.185.67	192.168.2.4
Mar 7, 2025 18:20:50.621344090 CET	49717	80	192.168.2.4	142.250.185.67
Mar 7, 2025 18:21:21.796617985 CET	443	49708	52.113.196.254	192.168.2.4
Mar 7, 2025 18:21:21.796901941 CET	49708	443	192.168.2.4	52.113.196.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 18:20:04.881988049 CET	58266	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:04.882167101 CET	52513	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:04.888426065 CET	53	58001	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:04.888858080 CET	53	58266	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:04.891848087 CET	53	52513	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:05.112104893 CET	53	61282	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:05.894129038 CET	58150	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:05.894337893 CET	50055	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:05.900631905 CET	60527	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:05.900842905 CET	61249	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:05.901140928 CET	53	58150	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:05.901891947 CET	53	50055	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:05.907788038 CET	53	60527	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:05.908159971 CET	53	61249	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:06.914225101 CET	51069	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:06.914386988 CET	64879	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:06.921499014 CET	53	51069	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:06.922111988 CET	53	64879	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:08.681956053 CET	57598	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:08.682157993 CET	62714	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:08.689529896 CET	53	57598	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:08.691840887 CET	53	62714	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:08.741280079 CET	53	56862	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:09.126328945 CET	54629	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:09.126532078 CET	56512	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:09.133590937 CET	53	54629	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:09.133698940 CET	53	56512	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:09.704570055 CET	53388	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:09.704713106 CET	60252	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:09.712024927 CET	53	53388	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:09.715625048 CET	53	60252	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:21.529371977 CET	51983	53	192.168.2.4	1.1.1.1
Mar 7, 2025 18:20:21.538927078 CET	53	51983	1.1.1.1	192.168.2.4
Mar 7, 2025 18:20:43.684056997 CET	138	138	192.168.2.4	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 7, 2025 18:20:05.901206970 CET	192.168.2.4	1.1.1.1	c20c	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 18:20:04.881988049 CET	192.168.2.4	1.1.1.1	0x14e5	Standard query (0)	tools.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:04.882167101 CET	192.168.2.4	1.1.1.1	0x148b	Standard query (0)	tools.google.com	65	IN (0x0001)	false
Mar 7, 2025 18:20:05.894129038 CET	192.168.2.4	1.1.1.1	0x72ec	Standard query (0)	tools.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:05.894337893 CET	192.168.2.4	1.1.1.1	0x5637	Standard query (0)	tools.google.com	65	IN (0x0001)	false
Mar 7, 2025 18:20:05.900631905 CET	192.168.2.4	1.1.1.1	0xd3fd	Standard query (0)	tools.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:05.900842905 CET	192.168.2.4	1.1.1.1	0x2b3a	Standard query (0)	tools.google.com	65	IN (0x0001)	false
Mar 7, 2025 18:20:06.914225101 CET	192.168.2.4	1.1.1.1	0x673c	Standard query (0)	tools.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:06.914386988 CET	192.168.2.4	1.1.1.1	0x484b	Standard query (0)	tools.google.com	65	IN (0x0001)	false
Mar 7, 2025 18:20:08.681956053 CET	192.168.2.4	1.1.1.1	0xf91c	Standard query (0)	tools.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:08.682157993 CET	192.168.2.4	1.1.1.1	0xc939	Standard query (0)	tools.google.com	65	IN (0x0001)	false
Mar 7, 2025 18:20:09.126328945 CET	192.168.2.4	1.1.1.1	0xd4a3	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:09.126532078 CET	192.168.2.4	1.1.1.1	0xa5b4	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 7, 2025 18:20:09.704570055 CET	192.168.2.4	1.1.1.1	0x6b08	Standard query (0)	tools.google.com	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:09.704713106 CET	192.168.2.4	1.1.1.1	0xaf1c	Standard query (0)	tools.google.com	65	IN (0x0001)	false
Mar 7, 2025 18:20:21.529371977 CET	192.168.2.4	1.1.1.1	0x85d9	Standard query (0)	ipwhois.app	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 18:20:04.888858080 CET	1.1.1.1	192.168.2.4	0x14e5	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:04.888858080 CET	1.1.1.1	192.168.2.4	0x14e5	No error (0)	tools.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:04.891848087 CET	1.1.1.1	192.168.2.4	0x148b	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:05.901140928 CET	1.1.1.1	192.168.2.4	0x72ec	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:05.901140928 CET	1.1.1.1	192.168.2.4	0x72ec	No error (0)	tools.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:05.901891947 CET	1.1.1.1	192.168.2.4	0x5637	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:05.907788038 CET	1.1.1.1	192.168.2.4	0xd3fd	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:05.907788038 CET	1.1.1.1	192.168.2.4	0xd3fd	No error (0)	tools.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:05.908159971 CET	1.1.1.1	192.168.2.4	0x2b3a	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:06.921499014 CET	1.1.1.1	192.168.2.4	0x673c	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:06.921499014 CET	1.1.1.1	192.168.2.4	0x673c	No error (0)	tools.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:06.922111988 CET	1.1.1.1	192.168.2.4	0x484b	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:08.689529896 CET	1.1.1.1	192.168.2.4	0xf91c	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:08.689529896 CET	1.1.1.1	192.168.2.4	0xf91c	No error (0)	tools.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:08.691840887 CET	1.1.1.1	192.168.2.4	0xc939	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:09.133590937 CET	1.1.1.1	192.168.2.4	0xd4a3	No error (0)	www.google.com		142.250.186.68	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:09.133698940 CET	1.1.1.1	192.168.2.4	0xa5b4	No error (0)	www.google.com			65	IN (0x0001)	false
Mar 7, 2025 18:20:09.712024927 CET	1.1.1.1	192.168.2.4	0x6b08	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:09.712024927 CET	1.1.1.1	192.168.2.4	0x6b08	No error (0)	tools.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Mar 7, 2025 18:20:09.715625048 CET	1.1.1.1	192.168.2.4	0xaf1c	No error (0)	tools.google.com	tools.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 18:20:21.538927078 CET	1.1.1.1	192.168.2.4	0x85d9	No error (0)	ipwhois.app		195.201.57.90	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwhois.app

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49717	142.250.185.67	80

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 18:19:49.256438017 CET	202	OUT	GET /r/gsr1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 7, 2025 18:19:49.876765013 CET	223	IN	HTTP/1.1 304 Not Modified Date: Fri, 07 Mar 2025 16:49:15 GMT Expires: Fri, 07 Mar 2025 17:39:15 GMT Age: 1834 Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding
Mar 7, 2025 18:19:49.882457018 CET	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 7, 2025 18:19:50.061994076 CET	223	IN	HTTP/1.1 304 Not Modified Date: Fri, 07 Mar 2025 16:49:17 GMT Expires: Fri, 07 Mar 2025 17:39:17 GMT Age: 1832 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	195.201.57.90	443	1252	C:\Users\user\Desktop\capt1cha.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 17:20:24 UTC	55	OUT	GET /json/ HTTP/1.1 accept: / host: ipwhois.app
2025-03-07 17:20:24 UTC	255	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 17:20:24 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Origin: * Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2025-03-07 17:20:24 UTC	724	IN	Data Raw: 32 63 38 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 31 38 35 2e 35 39 2e 33 31 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 66 6c 61 67 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 69 70 77 68 6f 69 73 2e 69 6f 5c 2f 66 6c 61 67 73 5c 2f 75 73 2e 73 76 67 22 2c 22 63 6f 75 6e 74 72 79 5f 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 63 6f 75 6e 74 72 79 5f 70 Data Ascii: 2c8{"ip":"173.185.59.31","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","country_flag":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","country_capital":"Washington D.C.","country_p

Target ID:	0
Start time:	12:19:33
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\capt1cha.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\capt1cha.exe"
Imagebase:	0x7ff76ec40000
File size:	2'806'784 bytes
MD5 hash:	032F2E9EF6B95A08483283D3901E25B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1705679022.00007FF76EC41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:19:33
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:19:33
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:19:34
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:19:34
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:19:34
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:19:34
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:19:35
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:19:35
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:19:36
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:19:36
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:19:36
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:19:36
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:19:37
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:19:37
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:19:38
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:19:38
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:19:39
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:19:39
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:19:39
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:19:39
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:19:40
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:19:40
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:19:41
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:19:41
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:19:41
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:19:41
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:19:42
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:19:42
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:19:42
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:19:42
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:19:43
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FO CSV /NH
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:19:43
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:20:01
Start date:	07/03/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	"taskkill" /F /IM discord.exe
Imagebase:	0x7ff756050000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:20:01
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:20:01
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FI "IMAGENAME eq msedge.exe"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:20:01
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FI "IMAGENAME eq chrome.exe"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:20:01
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:20:01
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	12:20:02
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --restore-last-session --remote-debugging-port=8481 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --start-minimized
Imagebase:	0x7ff699dc0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	12:20:02
Start date:	07/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --restore-last-session --remote-debugging-port=8480 --remote-allow-origins=* "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --profile-directory=Default --start-minimized
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	12:20:02
Start date:	07/03/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=2080 --field-trial-handle=1452,i,9008779610849694314,4242886108634219008,262144 --disable-features=PaintHolding /prefetch:3
Imagebase:	0x7ff699dc0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	12:20:02
Start date:	07/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\user\AppData\Local\Google\Chrome\User Data" --no-pre-read-main-dll --field-trial-handle=2092,i,3451624109008190827,1165491758054830447,262144 --disable-features=PaintHolding --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2144 /prefetch:3
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	12:20:09
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist" /FI "IMAGENAME eq chrome.exe"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	12:20:09
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	12:20:09
Start date:	07/03/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	"taskkill" /F /IM chrome.exe
Imagebase:	0x7ff756050000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	12:20:09
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	12:20:12
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	12:20:12
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	12:20:13
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	12:20:13
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	12:20:14
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	12:20:14
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	12:20:14
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	12:20:14
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	12:20:15
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	12:20:15
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	12:20:15
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	12:20:15
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	12:20:16
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	12:20:16
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	12:20:16
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	12:20:16
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	12:20:17
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	12:20:17
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	12:20:17
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	12:20:17
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	12:20:18
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	12:20:18
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	12:20:18
Start date:	07/03/2025
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	"tasklist"
Imagebase:	0x7ff7c1a10000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	12:20:18
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report capt1cha.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\DevToolsActivePort

C:\Users\user\AppData\Local\Temp\temp_cards_1394137168.db

C:\Users\user\AppData\Local\Temp\temp_cards_1795881575.db

C:\Users\user\AppData\Local\Temp\temp_history_2960040337.db

C:\Users\user\AppData\Local\Temp\temp_history_4167587886.db

C:\Users\user\AppData\Local\Temp\temp_login_1057773111.db

C:\Users\user\AppData\Local\Temp\temp_login_1949023805.db

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
capt1cha.exe