Edit tour

Windows Analysis Report
1776871603.exe

Overview

General Information

Sample name:	1776871603.exe
Analysis ID:	1635405
MD5:	8bede54b9c4860ddcc2363cd2cf561b5
SHA1:	feb2808b79d444ff96f1fc29cf119a1c87a543a1
SHA256:	450b033145869b6b0dfcf0b1c5dd05044234402957ee9cf76cc56f24487e6b17
Tags:	exeuser-aachum
Infos:

Detection

Clipboard Hijacker

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Clipboard Hijacker

Drops PE files with benign system names

Joe Sandbox ML detected suspicious sample

Potentially malicious time measurement code found

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses known network protocols on non-standard ports

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Communication To Uncommon Destination Ports

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1776871603.exe (PID: 3332 cmdline: "C:\Users\user\Desktop\1776871603.exe" MD5: 8BEDE54B9C4860DDCC2363CD2CF561B5)

cmd.exe (PID: 2284 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3536 cmdline: cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7312 cmdline: ping localhost -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D)

explorer.exe (PID: 4176 cmdline: C:\Users\user\AppData\Local\explorer.exe MD5: 8BEDE54B9C4860DDCC2363CD2CF561B5)

explorer.exe (PID: 6596 cmdline: "C:\Users\user\AppData\Local\explorer.exe" MD5: 8BEDE54B9C4860DDCC2363CD2CF561B5)

explorer.exe (PID: 5064 cmdline: "C:\Users\user\AppData\Local\explorer.exe" MD5: 8BEDE54B9C4860DDCC2363CD2CF561B5)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: explorer.exe PID: 4176	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\1776871603.exe, ProcessId: 3332, TargetFilename: C:\Users\user\AppData\Local\explorer.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\explorer.exe, CommandLine: C:\Users\user\AppData\Local\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\explorer.exe, NewProcessName: C:\Users\user\AppData\Local\explorer.exe, OriginalFileName: C:\Users\user\AppData\Local\explorer.exe, ParentCommandLine: cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\explorer.exe, ProcessId: 4176, ProcessName: explorer.exe

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 185.208.159.226, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Users\user\Desktop\1776871603.exe, Initiated: true, ProcessId: 3332, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49713

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\explorer.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1776871603.exe, ProcessId: 3332, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer

Sigma detected: Proxy Execution Via Explorer.exe

Source: Process started

Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Users\user\AppData\Local\explorer.exe, CommandLine: C:\Users\user\AppData\Local\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\explorer.exe, NewProcessName: C:\Users\user\AppData\Local\explorer.exe, OriginalFileName: C:\Users\user\AppData\Local\explorer.exe, ParentCommandLine: cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\explorer.exe, ProcessId: 4176, ProcessName: explorer.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1776871603.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/a	Avira URL Cloud: Label: malware
Source: http://93.88.203.34/cl/BatClipT.bat.226/P	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/R	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/Y	Avira URL Cloud: Label: malware
Source: http://185.208.159.226/p	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/U	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/N	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/V	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OIDj	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OID	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/M	Avira URL Cloud: Label: malware
Source: http://185.208.159.226/	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/any	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/;	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/8	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/3	Avira URL Cloud: Label: malware
Source: http://185.208.159.226/:	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/(	Avira URL Cloud: Label: malware
Source: http://93.88.203.34/cl/BatClipT	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/	Avira URL Cloud: Label: malware
Source: http://185.208.159.226/.	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/P$#	Avira URL Cloud: Label: malware
Source: http://185.208.159.226/6e7660115d80/	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/80/	Avira URL Cloud: Label: malware
Source: http://93.88.203.34/cl/BatClipT.bat	Avira URL Cloud: Label: malware
Source: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/s	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\explorer.exe

Avira: detection malicious, Label: TR/Spy.Banker.kdiut

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\explorer.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: 1776871603.exe	Virustotal: Detection: 59%			Perma Link
Source: 1776871603.exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49715 version: TLS 1.2

Source: 1776871603.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Desktop\OneDrive\good\d53f8fa2ef2f4fcabd436e7660115d80\x64\Release\LClipper.pdbq source: 1776871603.exe, explorer.exe.0.dr
Source:	Binary string: C:\Users\Administrator\Desktop\OneDrive\good\d53f8fa2ef2f4fcabd436e7660115d80\x64\Release\LClipper.pdb source: 1776871603.exe, explorer.exe.0.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Local\explorer.exe	Network Connect: 185.208.159.226 8888	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Network Connect: 208.95.112.1 80	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Network Connect: 185.199.109.133 443	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 8888
Source: unknown	Network traffic detected: HTTP traffic on port 8888 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 8888
Source: unknown	Network traffic detected: HTTP traffic on port 8888 -> 49716

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 1

Source: global traffic

TCP traffic: 192.168.2.4:49713 -> 185.208.159.226:8888

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133

Source: Joe Sandbox View

ASN Name: SIMPLECARRER2IT SIMPLECARRER2IT

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.208.159.226
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /VeraImage/MilitarySource/refs/heads/main/Code HTTP/1.1User-Agent: ClpBotHost: raw.githubusercontent.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VeraImage/MilitarySource/refs/heads/main/Code HTTP/1.1User-Agent: ClpBotHost: raw.githubusercontent.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/ HTTP/1.1User-Agent: ClpBotHost: ip-api.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d53f8fa2ef2f4fcabd436e7660115d80/ HTTP/1.1User-Agent: ClpBotHost: 185.208.159.226:8888Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/ HTTP/1.1User-Agent: ClpBotHost: ip-api.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d53f8fa2ef2f4fcabd436e7660115d80/ HTTP/1.1User-Agent: ClpBotHost: 185.208.159.226:8888Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com

Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695319275.000002072723A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226/
Source: explorer.exe, 00000006.00000002.2695319275.000002072723A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226/.
Source: explorer.exe, 00000006.00000002.2695319275.000002072723A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226/6e7660115d80/
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226/:
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226/p
Source: explorer.exe, 00000006.00000002.2695142393.000002072714C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/
Source: explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/(
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/3
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/8
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/80/
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/;
Source: 1776871603.exe, 00000000.00000003.1474147972.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/M
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/N
Source: 1776871603.exe, 00000000.00000003.1474426819.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000003.1474147972.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OID
Source: 1776871603.exe, 00000000.00000003.1474426819.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000003.1474147972.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OIDj
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/P$#
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/R
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/U
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/V
Source: 1776871603.exe, 00000000.00000003.1474426819.00000294FB8BB000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/Y
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/a
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/any
Source: explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/s
Source: explorer.exe, 00000006.00000002.2694983774.00000014809A8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.208.k
Source: explorer.exe, 00000006.00000002.2695434254.0000020728F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.88.203.34/cl/BatClipT
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.88.203.34/cl/BatClipT.bat
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://93.88.203.34/cl/BatClipT.bat.226/P
Source: 1776871603.exe, explorer.exe.0.dr	String found in binary or memory: http://ip-api.com/line/
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/-
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB875000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000003.1474310515.00000294FB88F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?j
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/E
Source: 1776871603.exe, explorer.exe.0.dr	String found in binary or memory: http://ip-api.com/line/RUBYUA797739A5A68043409FBEC5CFF63BE680UwwEUQtfIAckUApWAFVXUVsidnZ1UHRwcAYCc3B
Source: 1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB875000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/$Nj?
Source: explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/G
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/JN4?
Source: 1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/KbM
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code#9
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB81C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code1
Source: explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code1n
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB81C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code2
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code89
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB81C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeL
Source: 1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeLf
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeM32
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codea9
Source: explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codei
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codeindows
Source: explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codemn
Source: explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codev9

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A5C40	0_2_00007FF7612A5C40
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A7A40	0_2_00007FF7612A7A40
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A8E80	0_2_00007FF7612A8E80
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AB260	0_2_00007FF7612AB260
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612ABE60	0_2_00007FF7612ABE60
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612ABCC0	0_2_00007FF7612ABCC0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A78A0	0_2_00007FF7612A78A0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612ACAA0	0_2_00007FF7612ACAA0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AF0A0	0_2_00007FF7612AF0A0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AB900	0_2_00007FF7612AB900
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A7740	0_2_00007FF7612A7740
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AE540	0_2_00007FF7612AE540
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A3780	0_2_00007FF7612A3780
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AA180	0_2_00007FF7612AA180
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AA172	0_2_00007FF7612AA172
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AED70	0_2_00007FF7612AED70
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AB760	0_2_00007FF7612AB760
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AA9B0	0_2_00007FF7612AA9B0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AB5A0	0_2_00007FF7612AB5A0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A95A0	0_2_00007FF7612A95A0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AE400	0_2_00007FF7612AE400
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612ABFF0	0_2_00007FF7612ABFF0
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612AEFE2	0_2_00007FF7612AEFE2
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEE400	6_2_00007FF6E0CEE400
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEBFF0	6_2_00007FF6E0CEBFF0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEEFE2	6_2_00007FF6E0CEEFE2
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEA180	6_2_00007FF6E0CEA180
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE3780	6_2_00007FF6E0CE3780
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEA9B0	6_2_00007FF6E0CEA9B0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEB5A0	6_2_00007FF6E0CEB5A0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE95A0	6_2_00007FF6E0CE95A0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEE540	6_2_00007FF6E0CEE540
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE7740	6_2_00007FF6E0CE7740
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEA172	6_2_00007FF6E0CEA172
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEED70	6_2_00007FF6E0CEED70
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEB760	6_2_00007FF6E0CEB760
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEB900	6_2_00007FF6E0CEB900
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEBCC0	6_2_00007FF6E0CEBCC0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE8E80	6_2_00007FF6E0CE8E80
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CECAA0	6_2_00007FF6E0CECAA0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEF0A0	6_2_00007FF6E0CEF0A0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE78A0	6_2_00007FF6E0CE78A0
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE5C40	6_2_00007FF6E0CE5C40
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE7A40	6_2_00007FF6E0CE7A40
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEB260	6_2_00007FF6E0CEB260
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CEBE60	6_2_00007FF6E0CEBE60

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/9@2/3

Source: C:\Users\user\Desktop\1776871603.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\line[1].txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_03
Source: C:\Users\user\AppData\Local\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\aUkJ+dUJw
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03

Source: C:\Users\user\AppData\Local\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\ChromiumDatagram.txt

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\explorer.exe	Jump to behavior

Source: 1776871603.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1776871603.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1776871603.exe	Virustotal: Detection: 59%
Source: 1776871603.exe	ReversingLabs: Detection: 63%

Source: 1776871603.exe	String found in binary or memory: id-cmc-addExtensions
Source: 1776871603.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\1776871603.exe

File read: C:\Users\user\Desktop\1776871603.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1776871603.exe "C:\Users\user\Desktop\1776871603.exe"
Source: C:\Users\user\Desktop\1776871603.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\explorer.exe C:\Users\user\AppData\Local\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\explorer.exe "C:\Users\user\AppData\Local\explorer.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\explorer.exe "C:\Users\user\AppData\Local\explorer.exe"
Source: C:\Users\user\Desktop\1776871603.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\explorer.exe C:\Users\user\AppData\Local\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\1776871603.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 1776871603.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 1776871603.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 1776871603.exe

Static file information: File size 3648000 > 1048576

Source: 1776871603.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1be400
Source: 1776871603.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a1200

Source: 1776871603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1776871603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1776871603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1776871603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1776871603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1776871603.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1776871603.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1776871603.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Desktop\OneDrive\good\d53f8fa2ef2f4fcabd436e7660115d80\x64\Release\LClipper.pdbq source: 1776871603.exe, explorer.exe.0.dr
Source:	Binary string: C:\Users\Administrator\Desktop\OneDrive\good\d53f8fa2ef2f4fcabd436e7660115d80\x64\Release\LClipper.pdb source: 1776871603.exe, explorer.exe.0.dr

Source: 1776871603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1776871603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1776871603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1776871603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1776871603.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A82FE push rax; retf	0_2_00007FF7612A8313
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A8317 push rax; retf	0_2_00007FF7612A8313
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE82FE push rax; retf	6_2_00007FF6E0CE8313
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE8317 push rax; retf	6_2_00007FF6E0CE8313

Source: 1776871603.exe	Static PE information: section name: .text entropy: 6.862718423504815
Source: explorer.exe.0.dr	Static PE information: section name: .text entropy: 6.862718423504815

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\1776871603.exe

File created: C:\Users\user\AppData\Local\explorer.exe

Jump to dropped file

Source: C:\Users\user\Desktop\1776871603.exe

File created: C:\Users\user\AppData\Local\explorer.exe

Jump to dropped file

Source: C:\Users\user\Desktop\1776871603.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer			Jump to behavior
Source: C:\Users\user\Desktop\1776871603.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 8888
Source: unknown	Network traffic detected: HTTP traffic on port 8888 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 8888
Source: unknown	Network traffic detected: HTTP traffic on port 8888 -> 49716

Source: C:\Users\user\AppData\Local\explorer.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1			Jump to behavior

Source: C:\Users\user\Desktop\1776871603.exe

Code function: 0_2_00007FF7612A1330 rdtsc

0_2_00007FF7612A1330

Source: C:\Users\user\AppData\Local\explorer.exe

Window / User API: threadDelayed 4896

Jump to behavior

Source: C:\Users\user\AppData\Local\explorer.exe TID: 2564	Thread sleep count: 4896 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe TID: 2564	Thread sleep time: -97920s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\1776871603.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\explorer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\explorer.exe	Last function: Thread delayed

Source: 1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH\
Source: 1776871603.exe, 00000000.00000002.1495612161.00000294FB81C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: 1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.000002072714C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A1330	0_2_00007FF7612A1330
Source: C:\Users\user\Desktop\1776871603.exe	Code function: 0_2_00007FF7612A1380	0_2_00007FF7612A1380
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE1380	6_2_00007FF6E0CE1380
Source: C:\Users\user\AppData\Local\explorer.exe	Code function: 6_2_00007FF6E0CE1330	6_2_00007FF6E0CE1330

Source: C:\Users\user\Desktop\1776871603.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1776871603.exe

Code function: 0_2_00007FF7612A1330 rdtsc

0_2_00007FF7612A1330

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\AppData\Local\explorer.exe	Network Connect: 185.208.159.226 8888	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Network Connect: 208.95.112.1 80	Jump to behavior
Source: C:\Users\user\AppData\Local\explorer.exe	Network Connect: 185.199.109.133 443	Jump to behavior

Source: C:\Users\user\Desktop\1776871603.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ping localhost -n 1 && start C:\Users\user\AppData\Local\explorer.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\explorer.exe C:\Users\user\AppData\Local\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\1776871603.exe

Code function: 0_2_00007FF761427374 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF761427374

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 4176, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	111 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	3 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	3 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1776871603.exe	60%	Virustotal		Browse
1776871603.exe	63%	ReversingLabs	Win64.Trojan.Generic
1776871603.exe	100%	Avira	TR/Spy.Banker.kdiut

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\explorer.exe	100%	Avira	TR/Spy.Banker.kdiut
C:\Users\user\AppData\Local\explorer.exe	63%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/a	100%	Avira URL Cloud	malware
http://93.88.203.34/cl/BatClipT.bat.226/P	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/R	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/Y	100%	Avira URL Cloud	malware
http://185.208.159.226/p	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/U	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/N	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/V	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OIDj	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OID	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/M	100%	Avira URL Cloud	malware
http://185.208.159.226/	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/any	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/;	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/8	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/3	100%	Avira URL Cloud	malware
http://185.208.159.226/:	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/(	100%	Avira URL Cloud	malware
http://93.88.203.34/cl/BatClipT	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/	100%	Avira URL Cloud	malware
http://185.208.159.226/.	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/P$#	100%	Avira URL Cloud	malware
http://185.208.159.226/6e7660115d80/	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/80/	100%	Avira URL Cloud	malware
http://93.88.203.34/cl/BatClipT.bat	100%	Avira URL Cloud	malware
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/s	100%	Avira URL Cloud	malware
http://185.208.k	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
raw.githubusercontent.com	185.199.109.133	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/	true	Avira URL Cloud: malware	unknown
http://ip-api.com/line/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://93.88.203.34/cl/BatClipT.bat.226/P	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codemn	explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226/p	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OIDj	1776871603.exe, 00000000.00000003.1474426819.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000003.1474147972.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/a	1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codei	explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeLf	1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/Y	1776871603.exe, 00000000.00000003.1474426819.00000294FB8BB000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/V	1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/U	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ip-api.com/line/E	1776871603.exe, 00000000.00000002.1495612161.00000294FB875000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/R	1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/N	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/OID	1776871603.exe, 00000000.00000003.1474426819.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000003.1474147972.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226/	1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695319275.000002072723A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/M	1776871603.exe, 00000000.00000003.1474147972.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/any	1776871603.exe, 00000000.00000002.1495612161.00000294FB8B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://93.88.203.34/cl/BatClipT	explorer.exe, 00000006.00000002.2695434254.0000020728F44000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codeindows	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeM32	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/CodeL	1776871603.exe, 00000000.00000002.1495612161.00000294FB81C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/;	1776871603.exe, 00000000.00000002.1495612161.00000294FB8E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/8	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ip-api.com/line/-	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/3	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226/:	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/(	explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code2	1776871603.exe, 00000000.00000002.1495612161.00000294FB81C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code1	1776871603.exe, 00000000.00000002.1495612161.00000294FB81C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/P$#	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.159.226/.	explorer.exe, 00000006.00000002.2695319275.000002072723A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ip-api.com/line/RUBYUA797739A5A68043409FBEC5CFF63BE680UwwEUQtfIAckUApWAFVXUVsidnZ1UHRwcAYCc3B	1776871603.exe, explorer.exe.0.dr	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code1n	explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226/6e7660115d80/	explorer.exe, 00000006.00000002.2695319275.000002072723A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/$Nj?	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/JN4?	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codea9	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code#9	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/	1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB875000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/G	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/KbM	1776871603.exe, 00000000.00000003.1474310515.00000294FB898000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000002.1495612161.00000294FB898000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Codev9	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/VeraImage/MilitarySource/refs/heads/main/Code89	explorer.exe, 00000006.00000002.2695142393.00000207271A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/80/	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://93.88.203.34/cl/BatClipT.bat	explorer.exe, 00000006.00000002.2695142393.0000020727214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://185.208.k	explorer.exe, 00000006.00000002.2694983774.00000014809A8000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?j	1776871603.exe, 00000000.00000002.1495612161.00000294FB875000.00000004.00000020.00020000.00000000.sdmp, 1776871603.exe, 00000000.00000003.1474310515.00000294FB88F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.208.159.226:8888/d53f8fa2ef2f4fcabd436e7660115d80/s	explorer.exe, 00000006.00000002.2695142393.00000207271E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.208.159.226	unknown	Switzerland	34888	SIMPLECARRER2IT	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
185.199.109.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1635405
Start date and time:	2025-03-11 16:33:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1776871603.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/9@2/3
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 1776871603.exe, PID 3332 because there are no executed function
Execution Graph export aborted for target explorer.exe, PID 4176 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1776871603.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Windows Analysis Report
1776871603.exe