Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
imagine_Whatsapp_2025-03-12.img.exe

Overview

General Information

Sample name:imagine_Whatsapp_2025-03-12.img.exe
Analysis ID:1640575
MD5:352c3764bb9f59d7b21cab61930be003
SHA1:58a5f679d05c4d845ba83bd326d58b4223f76b6a
SHA256:252adea6ee9da3c00b53667295d5ce774e827f3c5d5f300d223c71c202d18c16
Tags:exeuser-adrian__luca
Infos:

Detection

Score:92
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • imagine_Whatsapp_2025-03-12.img.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe" MD5: 352C3764BB9F59D7B21CAB61930BE003)
    • powershell.exe (PID: 7520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chrome.exe (PID: 7808 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/ MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 7992 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1892,i,3081667511989857361,15125524406106775601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • InstallUtil.exe (PID: 7580 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WerFault.exe (PID: 7776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.1294938065.0000000006B20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.1281351430.00000000047BE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 7288JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 7288JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.imagine_Whatsapp_2025-03-12.img.exe.6b20000.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.imagine_Whatsapp_2025-03-12.img.exe.6b20000.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.imagine_Whatsapp_2025-03-12.img.exe.49b2e40.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.imagine_Whatsapp_2025-03-12.img.exe.49b2e40.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                    Sigma Signatures

                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com", CommandLine|base64offset|contains: J, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe", ParentImage: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe, ParentProcessId: 7288, ParentProcessName: imagine_Whatsapp_2025-03-12.img.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com", ProcessId: 7520, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: imagine_Whatsapp_2025-03-12.img.exeAvira: detected
                    Multi AV Scanner detection for submitted file
                    Source: imagine_Whatsapp_2025-03-12.img.exeReversingLabs: Detection: 72%
                    Source: imagine_Whatsapp_2025-03-12.img.exeVirustotal: Detection: 50%Perma Link
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\LICENSE.txtJump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb5 source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb= source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdbc source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: imagine_Whatsapp_2025-03-12.img.exe, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbq source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: o.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdbY source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdbd source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: HPzo8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ((.pdb(s( source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdbfi source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 4x nop then jmp 07402948h0_2_07402890
                    Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: imagine_Whatsapp_2025-03-12.img.exeString found in binary or memory: http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListView
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://2k.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://33across.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://360yield.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://3lift.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://a-mo.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://acxiom.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ad-score.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ad-stir.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ad.gt
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adentifi.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adform.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adingo.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://admatrix.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://admission.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://admixer.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adnami.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adnxs.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adroll.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adsafeprotected.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adscale.de
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adsmeasurement.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adsrvr.org
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adswizz.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adthrive.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://adtrafficquality.google
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://advividnetwork.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://aggregation-service-site-dot-clz200258-datateam-italy.ew.r.appspot.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://akpytela.cz
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://alketech.eu
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://amazon-adsystem.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://aniview.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://anonymised.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://apex-football.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://aphub.ai
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://appconsent.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://appier.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://appsflyer.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://appsflyersdk.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://aqfer.com
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://arborspalet.rs
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://arborspalet.rs/Hzret.mp4
                    Source: imagine_Whatsapp_2025-03-12.img.exeString found in binary or memory: https://arborspalet.rs/Hzret.mp4YI/KzSqBb0C7dZRHeal
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://atirun.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://atomex.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://audience360.com.au
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://audienceproject.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://authorizedvault.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://avads.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ayads.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://azubiyo.de
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://beaconmax.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://bidswitch.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://bidtheatre.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://blendee.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://bluems.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://boost-web.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://bounceexchange.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://bypass.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://casalemedia.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://cazamba.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://cdn-net.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://clickonometrics.pl
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://connatix.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://connected-stories.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://convertunits.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://coupang.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://cpx.to
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://crcldu.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://creative-serving.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://creativecdn.com
                    Source: LICENSE.txt.8.drString found in binary or memory: https://creativecommons.org/.
                    Source: LICENSE.txt.8.drString found in binary or memory: https://creativecommons.org/compatiblelicenses
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://criteo.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ctnsnet.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://d-edgeconnect.media
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://dabbs.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://dailymail.co.uk
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://dailymotion.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://daum.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://deepintent.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://demand.supply
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://display.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://disqus.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://docomo.ne.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://dotdashmeredith.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://dotomi.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://doubleclick.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://doubleverify.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://dreammail.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://dynalyst.jp
                    Source: LICENSE.txt.8.drString found in binary or memory: https://easylist.to/)
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ebayadservices.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ebis.ne.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://edkt.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://elle.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://elnacional.cat
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://eloan.co.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://euleriancdn.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://explorefledge.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ezoic.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://fanbyte.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://fandom.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://finn.no
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://flashtalking.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://fout.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://fwmrm.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://gama.globo
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://get3rdspace.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://getcapi.co
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://getyourguide.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ghtinc.com
                    Source: LICENSE.txt.8.drString found in binary or memory: https://github.com/easylist)
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://globo.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://gmossp-sp.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://gokwik.co
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://google-analytics.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://googleadservices.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://googlesyndication.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://grxchange.gr
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://gsspat.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://gumgum.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://gunosy.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://halcy.de
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://html-load.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://i-mobile.co.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://im-apps.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://impact-ad.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://indexww.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ingereck.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://inmobi.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://innovid.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://iobeya.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://jivox.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://jkforum.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://kargo.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://kidoz.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://kompaspublishing.nl
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ladsp.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://linkedin.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://logly.co.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://lucead.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://lwadm.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://mail.ru
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://media.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://media6degrees.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://mediaintelligence.de
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://mediamath.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://mediavine.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://metro.co.uk
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://microad.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://momento.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://moshimo.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://naver.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://nexxen.tech
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://nhnace.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://nodals.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://onet.pl
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://onetag-sys.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://open-bid.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://openx.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://optable.co
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://outbrain.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://paa-reporting-advertising.amazon
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://payment.goog
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://permutive.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://pinterest.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://postrelease.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://presage.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://primecaster.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-ad-server.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-dsp-a.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-dsp-b.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-dsp-x.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-dsp-y.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-dsp.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-ssp-a.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-ssp-b.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-ssp-x.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-ssp-y.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-demos-ssp.dev
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandbox-test.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-ad-server.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-a1.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-b1.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-x.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-y.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-dsp.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-a.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-b.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-x.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-y.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://privacy-sandcastle-dev-ssp.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://ptb-msmt-static-5jyy5ulagq-uc.a.run.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://pub.network
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://pubmatic.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://pubtm.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://quantserve.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://quora.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://r2b2.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://relevant-digital.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://retargetly.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://rubiconproject.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://samplicio.us
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://sascdn.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://seedtag.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://semafor.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://sephora.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://shared-storage-demo-content-producer.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://shared-storage-demo-publisher-a.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://shared-storage-demo-publisher-b.web.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://shinobi.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://shinystat.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://simeola.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://singular.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://sitescout.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://smadexprivacysandbox.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://snapchat.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://socdm.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://sportradarserving.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://stackadapt.com
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://storygize.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://superfine.org
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://t13.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://taboola.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tailtarget.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tamedia.com.tw
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tangooserver.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://teads.tv
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://theryn.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tiktok.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tncid.app
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://toponad.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://torneos.gg
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tpmark.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tribalfusion.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://trip.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://triptease.io
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://trkkn.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://tya-dev.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://uinterbox.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://undertone.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://unrulymedia.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://uol.com.br
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://usemax.de
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://validate.audio
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://verve.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://vg.no
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://vidazoo.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://vpadn.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://washingtonpost.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://weborama-tech.ru
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://weborama.fr
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://wepowerconnections.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://worldhistory.org
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://wp.pl
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://yahoo.co.jp
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://yahoo.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://yelp.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://yieldlab.net
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://yieldmo.com
                    Source: privacy-sandbox-attestations.dat.8.drString found in binary or memory: https://youronlinechoices.eu
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7808_621295014Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\privacy-sandbox-attestations.datJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7808_675644399Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\LICENSE.txtJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\Filtering RulesJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7808_383795061Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\keys.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\LICENSEJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7808_369741938Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\history_search_strings_farmhashed.binarypbJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir7808_621295014Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_07400E100_2_07400E10
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_073B6E5B0_2_073B6E5B
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_0167C0700_2_0167C070
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_0167B6E00_2_0167B6E0
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_0736F6480_2_0736F648
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_0736F9000_2_0736F900
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_0736E0D80_2_0736E0D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01591C424_2_01591C42
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_015923804_2_01592380
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01594C404_2_01594C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01591C424_2_01591C42
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_015920F84_2_015920F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_015920E84_2_015920E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_015957F84_2_015957F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_015957EA4_2_015957EA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_015947A54_2_015947A5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01594A7A4_2_01594A7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_015923804_2_01592380
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1144
                    Source: imagine_Whatsapp_2025-03-12.img.exeBinary or memory string: OriginalFilename vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003407000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUasrluacu.dll" vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1248224098.00000000016AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.00000000043C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1287650639.00000000064A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUasrluacu.dll" vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: classification engineClassification label: mal92.evad.winEXE@31/22@0/3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:64:WilError_03
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMutant created: \Sessions\1\BaseNamedObjects\Hfvlk
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjcigecl.au3.ps1Jump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeReversingLabs: Detection: 72%
                    Source: imagine_Whatsapp_2025-03-12.img.exeVirustotal: Detection: 50%
                    Source: imagine_Whatsapp_2025-03-12.img.exeString found in binary or memory: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD></HEAD><BODY><!--StartFragment-->{0}<!--EndFragment--></BODY></HTML>
                    Source: unknownProcess created: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe "C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe"
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1144
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1892,i,3081667511989857361,15125524406106775601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1892,i,3081667511989857361,15125524406106775601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic file information: File size 1112576 > 1048576
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10e200
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb5 source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb= source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdbc source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: imagine_Whatsapp_2025-03-12.img.exe, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.00000000043C1000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbq source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: o.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdbY source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdbd source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: HPzo8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ((.pdb(s( source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdbfi source: InstallUtil.exe, 00000004.00000002.2440428167.0000000001186000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000004.00000002.2440080032.0000000000F88000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000004.00000002.2440428167.00000000011E5000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: imagine_Whatsapp_2025-03-12.img.exe, ConfigService.cs.Net Code: WatchConfig System.AppDomain.Load(byte[])
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.43c9550.4.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.73b0000.9.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Suspicious powershell command line found
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"Jump to behavior
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.6b20000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.6b20000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.49b2e40.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.49b2e40.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1294938065.0000000006B20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1281351430.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 7288, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7580, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01593E02 push cs; ret 4_2_01593E0F
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.64a0000.5.raw.unpack, oJsWOxbZcFpkm16LekG.csHigh entropy of concatenated method names: 'xycb8VMCRr', 'b2gbOdsF5w', 'thnbVW3HN8', 'tARbnNg4yM', 'YkObSu6uJB', 'QqDb9fEQm7', 'ENlbLGigvr', 'dp5bHDk8UD', 'k5ubjcnbmw', 'nKsb6u441R'
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\LICENSE.txtJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 7288, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: 1670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: 33C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2E80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2098Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 788Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1286942192.00000000063A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\D
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1248224098.00000000016E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 470000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D94008Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeQueries volume information: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		211
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping121
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    DLL Side-Loading                    		51
                    Virtualization/Sandbox Evasion                    		Security Account Manager51
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    PowerShell                    		Login HookLogin Hook211
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain Credentials32
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    File Deletion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1640575 Sample: imagine_Whatsapp_2025-03-12... Startdate: 17/03/2025 Architecture: WINDOWS Score: 92 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected AntiVM3 2->35 37 3 other signatures 2->37 8 imagine_Whatsapp_2025-03-12.img.exe 15 3 2->8         started        process3 dnsIp4 29 185.102.77.35 HOSTING90UPSTREAMconnectivityCZ Czech Republic 8->29 39 Suspicious powershell command line found 8->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->41 43 Writes to foreign memory regions 8->43 45 Injects a PE file into a foreign processes 8->45 12 powershell.exe 23 8->12         started        14 InstallUtil.exe 2 8->14         started        signatures5 process6 process7 16 chrome.exe 35 12->16         started        18 conhost.exe 12->18         started        20 WerFault.exe 4 14->20         started        process8 22 chrome.exe 16->22         started        dnsIp9 25 142.250.185.196 GOOGLEUS United States 22->25 27 1.1.1.1 CLOUDFLARENETUS Australia 22->27

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    imagine_Whatsapp_2025-03-12.img.exe72%ReversingLabsWin32.Trojan.Jalapeno
                    imagine_Whatsapp_2025-03-12.img.exe51%VirustotalBrowse
                    imagine_Whatsapp_2025-03-12.img.exe100%AviraTR/Kryptik.itkfs

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://mediavine.comprivacy-sandbox-attestations.dat.8.drfalse
                      		high
                      https://connatix.comprivacy-sandbox-attestations.dat.8.drfalse
                        		high
                        https://yelp.comprivacy-sandbox-attestations.dat.8.drfalse
                          		high
                          https://nodals.ioprivacy-sandbox-attestations.dat.8.drfalse
                            		high
                            https://getyourguide.comprivacy-sandbox-attestations.dat.8.drfalse
                              		high
                              https://mediaintelligence.deprivacy-sandbox-attestations.dat.8.drfalse
                                		high
                                https://privacy-sandcastle-dev-dsp.web.appprivacy-sandbox-attestations.dat.8.drfalse
                                  		high
                                  https://privacy-sandbox-demos-dsp-a.devprivacy-sandbox-attestations.dat.8.drfalse
                                    		high
                                    https://permutive.appprivacy-sandbox-attestations.dat.8.drfalse
                                      		high
                                      https://privacy-sandbox-demos-dsp.devprivacy-sandbox-attestations.dat.8.drfalse
                                        		high
                                        https://adthrive.comprivacy-sandbox-attestations.dat.8.drfalse
                                          		high
                                          https://ad.gtprivacy-sandbox-attestations.dat.8.drfalse
                                            		high
                                            https://easylist.to/)LICENSE.txt.8.drfalse
                                              		high
                                              https://gumgum.comprivacy-sandbox-attestations.dat.8.drfalse
                                                		high
                                                https://trkkn.comprivacy-sandbox-attestations.dat.8.drfalse
                                                  		high
                                                  https://logly.co.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                    		high
                                                    https://media6degrees.comprivacy-sandbox-attestations.dat.8.drfalse
                                                      		high
                                                      https://privacy-sandcastle-dev-ssp.web.appprivacy-sandbox-attestations.dat.8.drfalse
                                                        		high
                                                        https://inmobi.comprivacy-sandbox-attestations.dat.8.drfalse
                                                          		high
                                                          https://33across.comprivacy-sandbox-attestations.dat.8.drfalse
                                                            		high
                                                            https://dreammail.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                              		high
                                                              https://jkforum.netprivacy-sandbox-attestations.dat.8.drfalse
                                                                		high
                                                                https://iobeya.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                  		high
                                                                  https://a-mo.netprivacy-sandbox-attestations.dat.8.drfalse
                                                                    		high
                                                                    https://ebis.ne.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                      		high
                                                                      https://privacy-sandbox-demos-ssp-y.devprivacy-sandbox-attestations.dat.8.drfalse
                                                                        		high
                                                                        https://aphub.aiprivacy-sandbox-attestations.dat.8.drfalse
                                                                          		high
                                                                          https://gama.globoprivacy-sandbox-attestations.dat.8.drfalse
                                                                            		high
                                                                            https://audienceproject.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                              		high
                                                                              https://adsrvr.orgprivacy-sandbox-attestations.dat.8.drfalse
                                                                                		high
                                                                                https://finn.noprivacy-sandbox-attestations.dat.8.drfalse
                                                                                  		high
                                                                                  https://lucead.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameimagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.00000000033C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://verve.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                        		high
                                                                                        https://r2b2.ioprivacy-sandbox-attestations.dat.8.drfalse
                                                                                          		high
                                                                                          https://stackoverflow.com/q/14436606/23354imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://bluems.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                              		high
                                                                                              https://edkt.ioprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                		high
                                                                                                https://atomex.netprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                  		high
                                                                                                  https://crcldu.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                    		high
                                                                                                    https://rubiconproject.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                      		high
                                                                                                      https://sitescout.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                        		high
                                                                                                        https://apex-football.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                          		high
                                                                                                          https://dotomi.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                            		high
                                                                                                            https://ctnsnet.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                              		high
                                                                                                              https://toponad.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                		high
                                                                                                                https://shinobi.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                  		high
                                                                                                                  https://superfine.orgprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                    		high
                                                                                                                    https://360yield.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                      		high
                                                                                                                      https://usemax.deprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                        		high
                                                                                                                        https://display.ioprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                          		high
                                                                                                                          https://adform.netprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                            		high
                                                                                                                            https://eloan.co.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                              		high
                                                                                                                              https://postrelease.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                		high
                                                                                                                                https://aqfer.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                  		high
                                                                                                                                  https://docomo.ne.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                    		high
                                                                                                                                    https://shared-storage-demo-publisher-a.web.appprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                      		high
                                                                                                                                      https://weborama-tech.ruprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                        		high
                                                                                                                                        https://innovid.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                          		high
                                                                                                                                          https://demand.supplyprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                            		high
                                                                                                                                            https://nexxen.techprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                              		high
                                                                                                                                              https://2k.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                		high
                                                                                                                                                https://advividnetwork.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://undertone.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://creative-serving.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://unrulymedia.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://tailtarget.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://paa-reporting-advertising.amazonprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://privacy-sandbox-demos-ssp-b.devprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://bypass.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://dotdashmeredith.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListViewimagine_Whatsapp_2025-03-12.img.exefalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://atirun.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://adingo.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://impact-ad.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://admatrix.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://openx.netprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://taboola.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://ayads.ioprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://i-mobile.co.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://uinterbox.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://mail.ruprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://simeola.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://gmossp-sp.jpprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://primecaster.netprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://privacy-sandcastle-dev-ssp-a.web.appprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://worldhistory.orgprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://stackoverflow.com/q/11564914/23354;imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1299126822.0000000007190000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.1281351430.0000000004419000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://adnxs.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://dabbs.netprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://seedtag.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://casalemedia.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://privacy-sandcastle-dev-dsp-x.web.appprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://authorizedvault.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://privacy-sandcastle-dev-ssp-y.web.appprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://sportradarserving.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://semafor.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://lwadm.comprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://appconsent.ioprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://vg.noprivacy-sandbox-attestations.dat.8.drfalse
                                                                                                                                                                                                                            		high

                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            1.1.1.1
                                                                                                                                                                                                                            		unknownAustralia
                                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                            185.102.77.35
                                                                                                                                                                                                                            		unknownCzech Republic
                                                                                                                                                                                                                            		198171HOSTING90UPSTREAMconnectivityCZfalse
                                                                                                                                                                                                                            142.250.185.196
                                                                                                                                                                                                                            		unknownUnited States
                                                                                                                                                                                                                            		15169GOOGLEUSfalse

                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                            Analysis ID:1640575
                                                                                                                                                                                                                            Start date and time:2025-03-17 13:12:43 +01:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 6m 33s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:19
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:imagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal92.evad.winEXE@31/22@0/3
                                                                                                                                                                                                                            EGA Information:Failed
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 87%
                                                                                                                                                                                                                            • Number of executed functions: 57
                                                                                                                                                                                                                            • Number of non-executed functions: 5
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 142.250.181.238, 172.217.18.3, 142.250.186.46, 108.177.15.84, 2.16.164.59, 2.16.164.64, 2.16.164.48, 2.16.164.42, 2.16.164.90, 192.168.2.4, 142.250.185.174, 142.250.185.238, 142.250.185.110, 199.232.210.172, 2.23.77.188, 142.250.64.78, 173.194.7.38, 142.250.184.195, 34.104.35.123, 142.250.186.163, 142.250.184.238, 23.199.214.10, 4.175.87.197
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, ocsp.digicert.com, r1.sn-p5qddn76.gvt1.com, adobe.com, r1---sn-p5qddn76.gvt1.com, update.googleapis.com, clients.l.google.com, c.pki.goog
                                                                                                                                                                                                                            • Execution Graph export aborted for target InstallUtil.exe, PID 7580 because it is empty
                                                                                                                                                                                                                            • Execution Graph export aborted for target imagine_Whatsapp_2025-03-12.img.exe, PID 7288 because it is empty
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            08:13:47API Interceptor6x Sleep call for process: powershell.exe modified

                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            1.1.1.1watchdog.elfGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                            • 1.1.1.1:8080/
                                                                                                                                                                                                                            6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 1.1.1.1/ctrl/playback.php
                                                                                                                                                                                                                            PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                                                                                                                                            • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                                                                                                                                                                            AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 1.1.1.1/

                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            CLOUDFLARENETUSPURCHASE ORDER N0259305-06SN.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                            • 172.67.222.201
                                                                                                                                                                                                                            QUOTATION 03664710859027.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                                            SHANXI Outward Remittance.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                                            Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.32.1
                                                                                                                                                                                                                            RFQ 306 & 307.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                                            http://www.teubes.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            https://check.telavya8.icu/gkcxv.google?i=4876e1f6-ac44-408f-999b-2cd4a9b4a8df%20#%20''I%20am%20not%20a%20'robot'%20-%20%D0%B3e%D0%A1%D0%90%D0%A0%D0%A2%D0%A1%D0%9D%D0%90%20Verification%20ID:%202482''Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            https://stelladass.co.uk/ra3.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                                                                            • 104.17.25.14
                                                                                                                                                                                                                            ue8Q3DCbNG.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                                                            eR2hECroRD.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                                                            HOSTING90UPSTREAMconnectivityCZFcpnluBr4S.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            FcpnluBr4S.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            jklarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 171.33.140.91
                                                                                                                                                                                                                            Angebotsanfrage.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            Angebotsanfrage.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            22835271_5115055035.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            22835271_5115055035.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            #U00c1raj#U00e1nlat_k#U00e9r#U00e9s.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            #U00c1raj#U00e1nlat_k#U00e9r#U00e9s.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            zahtjev_za_ponudu.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43

                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1216
                                                                                                                                                                                                                            Entropy (8bit):5.383598719553284
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:3TWSKco4KmBs4RPT6BmFoUebIlmjKcmZ9tXt/NK3R8e9rq:jWSU4y4RQmFoUeUmfmZ9tlNWR82m
                                                                                                                                                                                                                            MD5:1148D58C0B5D5D99501F5701B9B7886A
                                                                                                                                                                                                                            SHA1:2B589995D8BC4DBC2DF9C1AF9694A1FB300839C6
                                                                                                                                                                                                                            SHA-256:D0B46F0325FA50453D8866E8747A64757208EF0F547BC55CD66A0009B4E60A6A
                                                                                                                                                                                                                            SHA-512:08BD9F699A1146D425E8F636942F835CDBD2F3B25A0DEE46DA39906B1ABE4376C1F2EB22C71FE286C9E2F0BA0BD9B1D0FE886BB63D5ACBB9A9884BD7F898205B
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjcigecl.au3.ps1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubi22bji.dx3.psm1

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_BITS_7808_1714663826\puffpatch_out

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):6684
                                                                                                                                                                                                                            Entropy (8bit):7.752204071173577
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:192:5Bbi8FdZP0mYIjZcwOSwy90B+hpi8kPVtww:De8DymvjQYrhpGH
                                                                                                                                                                                                                            MD5:95778546493345DD2E3F1E48583B371D
                                                                                                                                                                                                                            SHA1:BCA90D6DC7E7F8E231036E0C3D185C429B09A3C6
                                                                                                                                                                                                                            SHA-256:5C635BBBB3BFC63910E29A0BE9FF5EE0990CCA2D3AAA56E4F4CD2C480C81B7DF
                                                                                                                                                                                                                            SHA-512:8A267663728984CD44C73A32BA0D7DE0A8A626D05D7E45009E1A6031E49B29D6FB9CD9B8E07782B5AE5371F9C90D4E1FB10B8D7787B148663424D899121FDC86
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b..........J;...........l...j..y..?.....uk.)...<.g.....H.......$M?^....wN.ax..^....\#.<HC...@n..@..yu$.x=........y?.u.&V.M....f........:H....-B.ix..m.......>.5.g.W:.Ck..s.#J.."..)Y....4pH).ED.........}..MT....:.FT./.b....c...t..y....I..G9.Q}...$.a...[...Y......0.."0...*.H.............0..........7...*`D.k.w......!..E.g...=.v/...M..%/ND....X,...=N..5]0t..?.l.1).u.)kZ...ka....+LdL....r.}1....+..v.e.d8Y.R.D..e..<..P#*...R...j.$..H..|%E...?-'.Q}.^.....P........]d.<Z....s'...^.Y.ib..B.n.....lt...G.K...YHS..Oa2......=..(...G.z.c.b9Nd.....0D..R#..c.w......T..c....^.Y>J..u].....C"$a..5..b....S./W.m.d7.)...=.O..).,.k.=....Q&..n.{..W..]L......]]..>b.p..........vrZ....e.....b.

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\_metadata\verified_contents.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1792
                                                                                                                                                                                                                            Entropy (8bit):6.019348476983808
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:48:p/hP+drAdRW37aktiyC2xCe69xqYGCRk7NOzPI4Ek:RSQw37anyC+CDGGccA4f
                                                                                                                                                                                                                            MD5:0F48EA696FDF31DABB72FD4A472E4A93
                                                                                                                                                                                                                            SHA1:A24862DAB4B7146073F74165D733E8EDA45C5185
                                                                                                                                                                                                                            SHA-256:57645239B1AECD3BFF0EDF2C489A55221855D4DD690541F57129449D34DC2CE6
                                                                                                                                                                                                                            SHA-512:1A32EE516B00800EBE49A17D0DC05A0A21589016A28A6B0CA2934A951DF0E09CDF46B75A9DE7AF62435807DF1EEB10F128284E03AD84A324F7F71EE9AD191CBF
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoib1hRamtrQnY5dDFiX1Jzc0NBNjJhNzEwZEZZYVl2MktzOHpZTUFXWEUxMCJ9LHsicGF0aCI6InByaXZhY3ktc2FuZGJveC1hdHRlc3RhdGlvbnMuZGF0Iiwicm9vdF9oYXNoIjoiSnBiZFpKbk9wY0tXZE1zWVhZQVozTzNJR1BDZkg1NzZaS1FqbjZWUEtfZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6Im5paWtoZGdhamxwaGZlaGVwYWJoaGJsYWtiZGdlZWZqIiwiaXRlbV92ZXJzaW9uIjoiMjAyNS4zLjEyLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"D1yGWCJ13w_a4aZS-GmRy1UaSnKuPyDaexx705PHm_LYjgxXA8UjTQ9bScleEJZkORAwk9gKs65NUkOIZOPGdPUDhQg3gDWqrESXFzPZk4RzaEwwlPh-33zUE0qWXcz4FwKu1WGN_Ok4HrKRgdihn7ea4OvP8VqvfNRP56CMpOuQxMLdGtj33weeTm9wBG2D-g2De2hqPBC6G0Jr9FnJ_wLkuNsuMmotIuVgQMViTCStpvxyrUiSyBwWdJH9By924Uu66zgVGLnpcv5tMoSwVylMy3ouQ3_lj2ul-hu5YJa7RzW2gOxCwb7ZtnFkfFx

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\manifest.fingerprint

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                            Entropy (8bit):3.9364303497856072
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:SQ/SHHHWbcM8VH5DM/4+MlRddVGWSDn:SQ/+HNMEZR+MlPdVGWSD
                                                                                                                                                                                                                            MD5:ABB7EA6FFEFB13622CB47C36A07B9175
                                                                                                                                                                                                                            SHA1:E593E3B6161F9DF88BACBEF7987BF76F3A886FD5
                                                                                                                                                                                                                            SHA-256:6AC28AE1C8DFDE9830AC0B6C6DF657731FB2C895701AFE13F5682F82C5C69137
                                                                                                                                                                                                                            SHA-512:5F514012BDD35FB413288E161BD0277EB89AC8B0204C1D63603DDEF119946E77D71DCBFD5D2A7694D945595029538F43D0C00DABC2CE2820528EFAEBB121018B
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:1.5c635bbbb3bfc63910e29a0be9ff5ee0990cca2d3aaa56e4f4cd2c480c81b7df

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\manifest.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):97
                                                                                                                                                                                                                            Entropy (8bit):4.60145350054745
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifF1mYTdFKS1oMUm:F6VlMXdTHKS1oVm
                                                                                                                                                                                                                            MD5:A6B4EE3137180CAD95E7BEFB62CBF122
                                                                                                                                                                                                                            SHA1:FA26A56140944B21D6A1ECC7FB3EFC0D97D3EF23
                                                                                                                                                                                                                            SHA-256:A1742392406FF6DD5BFD1B2C080EB66BBD7474561A62FD8AB3CCD8300597135D
                                                                                                                                                                                                                            SHA-512:35AE8B940797600B727DACED0ACF856263D219697DB923747D745D990C8798ADA5159AC36544A6EC5952F74809D5489A371C6BB44325DEE7BBE52965240188E0
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "Privacy Sandbox Attestations",. "version": "2025.3.12.0".}

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1010496509\privacy-sandbox-attestations.dat

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):7422
                                                                                                                                                                                                                            Entropy (8bit):5.070572988249595
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:192:I+0f6TueVE9GihNKybjrbgfJsSCiJig+pBWh3zJmOlwy1T:R0f6TudccKybbghsSCeig+vW31m7YT
                                                                                                                                                                                                                            MD5:BA9EB9F524A133FEB268463CE7BE918D
                                                                                                                                                                                                                            SHA1:B91835A18402B8652939B5A25F8DDF1DBD0418A0
                                                                                                                                                                                                                            SHA-256:5103766F23C8FE7FD12DC97F4B8671BC954943BCECFCA4842346E9F2F5FB27AD
                                                                                                                                                                                                                            SHA-512:8FC4B4C4EDDC5EF2ADDAD4FBC52A289C5F59018AAD09A8891AE0F4457908153632B6575155A2256EA13754C1EB329AC9F93050316A3F27429B9CFAC06D9725A0
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:.........https://2k.com..https://33across.com..https://360yield.com..https://3lift.com..https://ad-score.com..https://ad.gt..https://adentifi.com..https://adform.net..https://adingo.jp..https://admatrix.jp..https://admixer.net..https://adnami.io..https://adnxs.com..https://adsafeprotected.com..https://adsrvr.org..https://adthrive.com..https://advividnetwork.com.Nhttps://aggregation-service-site-dot-clz200258-datateam-italy.ew.r.appspot.com..https://anonymised.io..https://aphub.ai..https://appier.net..https://avads.net..https://ayads.io..https://bidswitch.net..https://bidtheatre.net..https://bing.com..https://blendee.com..https://bounceexchange.com..https://bypass.jp..https://casalemedia.com..https://cdn-net.com..https://clickonometrics.pl..https://connected-stories.com..https://crcldu.com..https://creativecdn.com..https://criteo.com..https://ctnsnet.com..https://dabbs.net..https://daum.net..https://display.io..https://dotdashmeredith.com..https://dotomi.com..https://doubleclick.net..ht

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\Filtering Rules

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):77095
                                                                                                                                                                                                                            Entropy (8bit):5.538618070900601
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:1536:y1RlxQ6jQG4eeBp91moaWQQgw6I7xQvQUjci7UglVMSe/14SorG:YFBjt4xBpeoaVQgw6ItEQUjci7TVMJ46
                                                                                                                                                                                                                            MD5:5F2E8BC6FD4937FBB0939C6773064F3E
                                                                                                                                                                                                                            SHA1:524FAECE2A5491EF2739C2424F962C9ADF74E891
                                                                                                                                                                                                                            SHA-256:4723C6E42380C6A90A601C9BF6E4DD72136958516DE05623DC8D342B6E05F00C
                                                                                                                                                                                                                            SHA-512:D5B3CF6AB579B71F68BB02739B70DE1D403CE59C45442015E09B502E723E9D9FFCCED8429C228F467995CD01A13CAE9D2172994FF0D8677DFE501898922E00B7
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.just-news.pro^..........0.8.@.R.6dc2699b37.com^..........0.8.@.R.yomeno.xyz^..........0.8.@.R.yellowblue.io^..........0.8.@.R.abh.jp^..........0.8.@.R.ad999.biz^..........0.8.@.R._468_60...........0.8.@.R.adrecover.com^..........0.8.@.R.pemsrv.com^..........0.8.@.R.mnaspm.com^.$........0.8.@.R.tags.refinery89.com^.,........0.8.@.R.mysmth.net/nForum/*/ADAgent_.>........*...worldstar.com0.8.@.R.js.assemblyexchange.com/wana..(........0.8.@.R.ogads-pa.googleapis.com^..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^.(........0.8.@.R.shikoku-np.co.jp/img/ad/..........0.8.@.R./in/track?data=.!......0.8.@.R.linkbucks.com/tmpl/..........0.8.@.R.clicktripz.com^..........0.8.@.R.-ad-manager/........0.8.@.R.files.slack.com^.$........0.8.@.R.admitad-connect.com^..........0.8.@.R./300-250-.2........0.8.@.R"cloudfront.net/js/com

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\LICENSE.txt

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):24623
                                                                                                                                                                                                                            Entropy (8bit):4.588307081140814
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:384:mva5sf5dXrCN7tnBxpxkepTqzazijFgZk231Py9zD6WApYbm0:mvagXreRnTqzazWgj0v6XqD
                                                                                                                                                                                                                            MD5:D33AAA5246E1CE0A94FA15BA0C407AE2
                                                                                                                                                                                                                            SHA1:11D197ACB61361657D638154A9416DC3249EC9FB
                                                                                                                                                                                                                            SHA-256:1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
                                                                                                                                                                                                                            SHA-512:98B1B12FF0991FD7A5612141F83F69B86BC5A89DD62FC472EE5971817B7BBB612A034C746C2D81AE58FDF6873129256A89AA8BB7456022246DC4515BAAE2454B
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:EasyList Repository Licences.... Unless otherwise noted, the contents of the EasyList repository.. (https://github.com/easylist) is dual licensed under the GNU General.. Public License version 3 of the License, or (at your option) any later.. version, and Creative Commons Attribution-ShareAlike 3.0 Unported, or.. (at your option) any later version. You may use and/or modify the files.. as permitted by either licence; if required, "The EasyList authors.. (https://easylist.to/)" should be attributed as the source of the.. material. All relevant licence files are included in the repository..... Please be aware that files hosted externally and referenced in the.. repository, including but not limited to subscriptions other than.. EasyList, EasyPrivacy, EasyList Germany and EasyList Italy, may be.. available under other conditions; permission must be granted by the.. respective copyright holders to authorise the use of their material.......Creative Commons Attribut

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\_metadata\verified_contents.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1529
                                                                                                                                                                                                                            Entropy (8bit):5.976028518573561
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:24:pZRj/flTHYFluT1XkYbKgH8jeT3g8zkaoXdKydEHKcL/cAyXoXmKiqJzc64VnICx:p/h4iJfbKgHzT1kakd9d+/LyXkmKL4dJ
                                                                                                                                                                                                                            MD5:B34777C83FE725443F6706F838BFCC71
                                                                                                                                                                                                                            SHA1:FB5FAB94D7E51A04BFECD8CA892A0268A491B68B
                                                                                                                                                                                                                            SHA-256:93FCA3B0D84D2A8B73AEB4F9750EC4075D564677CA62FA9BBD976D5D5619E90C
                                                                                                                                                                                                                            SHA-512:377A4EC4982378ABCDCFD91B257A3EF9FEA2DD9F6757A22DD5F829801FA5553B788155435F5F065FEB70B1E7D3F60812458D631C7C5B77D4E4E629DC3CB1D422
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJGaWx0ZXJpbmcgUnVsZXMiLCJyb290X2hhc2giOiJ6U0s3aDNrdHZHdk0tN0FNeExfLXpmbm9wUldrTkoxU2E0RW1QTVdpa3dnIn0seyJwYXRoIjoiTElDRU5TRS50eHQiLCJyb290X2hhc2giOiIyaWswNmk0TFlCdVNHNWphRGFIS253NE9pdnVSRzZsQ0JKMVk0TGtzRFJJIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6Ik0zUVZyMko2WEZJTjZIaERNdzFiU2RnRUhrdk5NVlMxdnNIU29mWHJtWDQifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJnY21qa21nZGxnbmtrY29jbW9laW1pbmFpam1tam5paSIsIml0ZW1fdmVyc2lvbiI6IjkuNTUuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"eVOox95LHt_huD1ZXNk2zxPSK5LxokRu6x0S_ww8Ogb8eOdWxUS-5DWuW4M3rfp6I9tSsLFbZQBy5kvVbkG2XTL2RHMfdF39BNFpjebNLkcQj85ki-IZdn4iYzb7yR8D2jsu2I5aXLZKuwemUaYqw_WiH8DPDTddIWBsR26QcPWGLg1H97vUpe7XsZSs2evmcojkfDe0pzKgmnnsngqJjoPdYbz7iCvc4cTtvuT5q_DqSlH8t

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\manifest.fingerprint

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                            Entropy (8bit):3.858534313092168
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:STED3DG7BRc6VANMdunDlGwpva:S+3y66qNMgDl1pC
                                                                                                                                                                                                                            MD5:00336491D5151AE40C377A836A97D4E1
                                                                                                                                                                                                                            SHA1:B66D1B09F3473DAC79E036F30C12003E1707E0A0
                                                                                                                                                                                                                            SHA-256:3D4821C7C552D1D9F0A36859C34432433A7084B27D7928011B0534215EFFD3C9
                                                                                                                                                                                                                            SHA-512:12E324A3782DC7928FC182C74D3E8CBE8FBF3D884D54A03C891775041B8FAF4B96F4F271C04E67AC3D6FE610F87F63FF5DCD04870AED92B2B470F73BD7AD38D4
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:1.6af08fc2b0dd497e30e40290efcb817b9b1f7dc7f734ab1a9dd000ae01f36050

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_1975068186\manifest.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):114
                                                                                                                                                                                                                            Entropy (8bit):4.547350270682037
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1wA:F6VlMZWuMt5SKPS1wA
                                                                                                                                                                                                                            MD5:9585CB6CAE92DF90F9FCE1091C6DA40A
                                                                                                                                                                                                                            SHA1:FCA8BDED549311578C4623680159FFED831FC38B
                                                                                                                                                                                                                            SHA-256:337415AF627A5C520DE87843330D5B49D8041E4BCD3154B5BEC1D2A1F5EB997E
                                                                                                                                                                                                                            SHA-512:99192B2F98C559CE61CFE5796733A9DA01CF9B4CA966500ABDD71E35E18A3BF9B75CE5815E73F19D07F299E4BE2B8FC6B9F289D6BBBBF357B9C0D24622DB8207
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.55.0".}

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\_metadata\verified_contents.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1805
                                                                                                                                                                                                                            Entropy (8bit):6.024883607738449
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:48:p/h4uF8hr7akIQ2hWNW22oM3ItR0kpOg+G1F:ROuF8p7adWN12OtR0Lgnr
                                                                                                                                                                                                                            MD5:576F86C13500904B2CFF79E7EE9813BF
                                                                                                                                                                                                                            SHA1:A448BFCB7487342E71203F696C91364A881B1A07
                                                                                                                                                                                                                            SHA-256:A6EDBEAD87C0D10CA54F31D719232D4766ECD85247C639097D68777812203BBB
                                                                                                                                                                                                                            SHA-512:5AD87C8AF6C6A8DE90BB09E537EB04D343B7760E5692963C1CF8D6FFFDCD008165DAAECCA94510B591C2BB4C17BD64E48F93ED5277F38A87C53ADED0A7D46ED6
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJoaXN0b3J5X3NlYXJjaF9zdHJpbmdzX2Zhcm1oYXNoZWQuYmluYXJ5cGIiLCJyb290X2hhc2giOiJ1YTFtVjdKTl90enFQNm5uY3RTWUw5dDdLRTByc01MRExMSDZnR095NGM0In0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6InRoLVdQczdGUDNkdnZudGVUSXpKM1l4eU5iNGtTV19CaFhmVmcyMzh1VHMifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJwa29ta2RqcG1qZmJrZ2pqbW1haW9lZ2FvamdkYWhrbSIsIml0ZW1fdmVyc2lvbiI6IjYuNzQzMS45NjkyIiwicHJvdG9jb2xfdmVyc2lvbiI6MX0","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"MULn4zJoWgjGUovjaEHu5NdNW5uCggff98O6sYiY-a_-S7Ukq2rs9C8W20Ptv7UEhYotzE4oil8LYnY-UqU0ldSc1rW3zPuSq0noBsKqcWqb6LZPThWRJL7mu7NC6lU1LXtDjjA-v9Nckv93kI6GF4oXGWWD9TdTgM43sHL8NgyzSnplNmZFc5wPIRV0NETtKxxsH9xpq1koJOHX4QlDMHkBW1hgHTq3cxx4o_oUDOv2Z7tBDz0wrhoqfNNsB6S7XByGiqjggrMcVdKSNN-4M29i6MxtcUXiM4Ub6URQWqytMmMnvE

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\history_search_strings_farmhashed.binarypb

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):5798
                                                                                                                                                                                                                            Entropy (8bit):3.599861932645689
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:96:E22zlb4j7OXw9g5qd49REHkN/v5zNnVUiic04saNJOkCDclgGNSrRnKjt3P:E2ilbC7Og9ga49Rnlv5zNn69cHhfOkEI
                                                                                                                                                                                                                            MD5:07A6A55A8B1305A04B488B3433378A40
                                                                                                                                                                                                                            SHA1:39249258EEA0473B37E468CCDB9C59D7B70B25B9
                                                                                                                                                                                                                            SHA-256:A30999F36D840D218ED88CD402C072824EE11D141265BB66F972317075338DFE
                                                                                                                                                                                                                            SHA-512:EAA73D7B069BBFDF9C5B8D3A84888587130CEC9F71EC3749B002C58D4C040818A6D9620B20D75B5215B045211E34092CCBB9D7EBDDCF43D7A30A82BEEB53C918
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:..2268878645..4150166211..3635766556..3100622694..2882857065..3113504532..4059982422..4190559762..490846406..472993679..746129187..3645806673..1587074553..3252136094..454137344..2485329947..1943545055..1560292331..1486366630..1790112295..68088445..239052483..663419390..2044611818..1818734386..1871588911..3661116714..3175320285..747058853..583773896..666111195..2266945682..1478812737..3751622037..4151348701..3296391498..2686649576..617189129..1814883064..41944762..626317099..3440834169..2196127073..640291836..2673380821..2169761756..3679871750..944943261..1583032654..2782972117..812563865..854749838..455904146..1251777507..2908954221..3422582911..3561876415..1990992201..3889187132..3501061295..4079828929..2683714405..2580287260..4018857391..133884271..3578942588..1542465893..2861684106..2400676353..2947221933..2418369878..550889930..4011599249..1197477470..2797574022..99329549..3815070852..2798633240..3378839655..2538816597..848749005..454704005..2817621037..4224936049..2114247913..3472

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\manifest.fingerprint

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                            Entropy (8bit):3.878459128441013
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:STDjQccBkR+Y5xUd71n:SPjlkkYY5uBn
                                                                                                                                                                                                                            MD5:226C19B7ABCCA37C5553C59906378234
                                                                                                                                                                                                                            SHA1:8707E3D4D89E0C9103366A1553EAB54FA268D8D5
                                                                                                                                                                                                                            SHA-256:47502668458687050B5C0B7651DEF5507590571536FE77EC8B613D3EC0DBE737
                                                                                                                                                                                                                            SHA-512:1C30A40CCC6B05B915446CCB46C5A8EC1A2D0D77B458283E02CE91BF6734D9AD6C8EEBC62E03821B476307D4D219AFC6B0BA0D1DA81700DC9937CEB809C1DC10
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:1.6f9945bb965ce4aef3427164fc19faf47a46b069dd2c9f1f931858445e1652a0

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_2070733410\manifest.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):111
                                                                                                                                                                                                                            Entropy (8bit):4.711410209193507
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFCXc9hAxo6YXwEW7EUJHKS1ydcCHA:F6VlMDlpwEhU0S1ydcCg
                                                                                                                                                                                                                            MD5:ACB265E0B9230EBC82351E2923EFC08B
                                                                                                                                                                                                                            SHA1:1D2DA6BABC7723DFAC6E564AA1CA3C00A2F55608
                                                                                                                                                                                                                            SHA-256:B61F963ECEC53F776FBE7B5E4C8CC9DD8C7235BE24496FC18577D5836DFCB93B
                                                                                                                                                                                                                            SHA-512:F70EA258E4613350B389ACE5EBBD62479B5B71BA555EC064447E9CAA08DF71B449660841E688E46C0333DC88A3E5F00EC29AF21799E0787E6E7E822B913F7D89
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "history_search_strings_farmhashed.binarypb",. "version": "6.7431.9692".}

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\LICENSE

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1558
                                                                                                                                                                                                                            Entropy (8bit):5.11458514637545
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
                                                                                                                                                                                                                            MD5:EE002CB9E51BB8DFA89640A406A1090A
                                                                                                                                                                                                                            SHA1:49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
                                                                                                                                                                                                                            SHA-256:3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
                                                                                                                                                                                                                            SHA-512:D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\_metadata\verified_contents.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):1864
                                                                                                                                                                                                                            Entropy (8bit):6.00682540004288
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:48:p/hUjSoCWAdte7akapu8IA1MSrhykmwDkV:RfpWQte7aSunyRb
                                                                                                                                                                                                                            MD5:28706AD42E4C615A683C2494BC0BD2AF
                                                                                                                                                                                                                            SHA1:6B0465B3D5E85A3EA76C646BA8652C4DC0248DC0
                                                                                                                                                                                                                            SHA-256:709BBB3E3A17E2B7BBF9F4AFDCF465312695342CE4EB203DF284233EACEE086F
                                                                                                                                                                                                                            SHA-512:E95DA92F1AD5F56EF61A5992A1B465D46F36EFF1FC85643CC5AB3F357B6F14D81A5B5590D0E18D4DA5FCC3AC537A469FD0C15B116A3471536707A9716119FA5F
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6ImtleXMuanNvbiIsInJvb3RfaGFzaCI6IlJ1R2ZTVTVlZVdiRHczOVpOMmQ5NHhIRkJuY2JNMWxtZXgybk5ZVmhMU00ifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiVXdpQzFfVTFybGVra0d5bk5iRVp5ZU5rZ011M2dNZm9yVGZKeVAzejJiRSJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImtpYWJoYWJqZGJramRwamJwaWdmb2RiZGptYmdsY29vIiwiaXRlbV92ZXJzaW9uIjoiMjAyNS4xLjE3LjEiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"DjJ0cJJFQPGNShH6cqF0KMXYB9LDN7hZ0z-M2b0RfT3cl9Mxp62MiQM0bqevSkL0tNe9rHL_VWqPqY7PDdCoumMJ-TVwboLlLJq3c1H9NYQgQ-nQS4F3mFBvP0YJ-Kunf6byMQnF4FLGqtuRouNWZBUqyahkm__1_0-5qoAVqSms3wmBnmVhb1z4p-I6jEjko0pLBq4dad2vH7G6THiOPP15L1ozQ42gvfw5aLvn_Itjpwq7GaU9lNv

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\keys.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):6690
                                                                                                                                                                                                                            Entropy (8bit):5.981211959058716
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:96:UXq6pG2GE+Vy2+m0plhYvPuW+wkpTm+ozdswsDm4+uTagSfC3AQj+y:uNtGbVKm4lOvMwkoR9PuGs3gy
                                                                                                                                                                                                                            MD5:BEF4F9F856321C6DCCB47A61F605E823
                                                                                                                                                                                                                            SHA1:8E60AF5B17ED70DB0505D7E1647A8BC9F7612939
                                                                                                                                                                                                                            SHA-256:FD1847DF25032C4EEF34E045BA0333F9BD3CB38C14344F1C01B48F61F0CFD5C5
                                                                                                                                                                                                                            SHA-512:BDEC3E243A6F39BFEA4130C85B162EA00A4974C6057CD06A05348AC54517201BBF595FCC7C22A4AB2C16212C6009F58DF7445C40C82722AB4FA1C8D49D39755C
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:{"https://issuer.captchafox.com":{"PrivateStateTokenV1VOPRF":{"batchsize":1,"id":1,"keys":{"0":{"Y":"AAAAAQQiyE+SESbq7GU5rTx6tZO4tBOxljp+Oya2mU28O+YoALIyXlLLqnl/h5h95ExYSsOlmMIb8EdsJBTrCaDl/KIZSskrfMbZpjhShG0jwnbXojEHI9WaAxKLkX/A/DkyMEg=","expiry":"1734807628115000"},"1":{"Y":"AAAAAQRNtld+5LLBquS4bEJKJwlLw61tzIyqTNkvMVnUTu+YiphbdGrRCjeDTN9D3p1Tgpfmq0N/OKMBYWzDMEN8Km9p9s49c6N2ph4B1MV1m7Ogdj969MOsTw54Kc849oqDl8s=","expiry":"1734807628115000"},"2":{"Y":"AAAAAQSBWW003A3ORFURCZrWNnbEIH15yzk184DaLSebbGzRdyCYtAM1qhhVmXZyBtWTzh6Bfkk5rLPyE1xdQilofPBizF/QJsdaMU0GYhPW1sOU4xoKbmgd/XrnOoFqA2ETOuc=","expiry":"1734807628115000"},"3":{"Y":"AAAAAQSG/ftGdm5B6iwAmVsHt6s43xx3nRf/Vpx9GdeEt3jSTM8hHvyLE9FAEkinGjt4Fp5EjnkCdE96Cxz10nZJRrMApIrGhG5kAoDu4T8PjJPiFQFyHAOdTG7OJWi2NS/rl1A=","expiry":"1734807628115000"},"4":{"Y":"AAAAAQT36tqe550UP5A+4Eokt8iuPZEuWQc9cGJXd7zUCZzrsqtGu3PMcVbOj5DjC4W+yoyF3HqKOqdtiBWgcMsZOcyln/6jUKqf5tS9AoIHa9CC3kQB8ISQd3lhR5j+qWVY8ms=","expiry":"1734807628115000"},"5":{"Y":"AAAAAQQMjaLNCR

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\manifest.fingerprint

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):66
                                                                                                                                                                                                                            Entropy (8bit):4.005340674128682
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:SUsO4D2HGQ42IAVFxx9WQnRJn:SUsO4qmQHVDx0QDn
                                                                                                                                                                                                                            MD5:030D9E3F4502E24594ABCA380C073974
                                                                                                                                                                                                                            SHA1:AE068D4F8C668477DD8F4BC2892F09D0802130E0
                                                                                                                                                                                                                            SHA-256:FD86A9E808BCC78B926C111633615D9A807D60A20CE2BAC7360915336ABB738F
                                                                                                                                                                                                                            SHA-512:F28A0311A80FE81965874AE5A46161A7658E149AA48E26B81C500339461B84F2EB53193AEF4E4C78AADB7191AC4518E81BBFB1672CE6077200CC6DF5FAC4054B
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:1.1987650928271ad440c2b8a50f309139de82c742fb6f1f3ea055b35718ac46e7

                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7808_912150650\manifest.json

                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                            Size (bytes):79
                                                                                                                                                                                                                            Entropy (8bit):4.442932812379182
                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                            SSDEEP:3:rR6TAulhFphifFIPgS1oSLsY:F6VlMyPgS1oxY
                                                                                                                                                                                                                            MD5:7F4B594A35D631AF0E37FEA02DF71E72
                                                                                                                                                                                                                            SHA1:F7BC71621EA0C176CA1AB0A3C9FE52DBCA116F57
                                                                                                                                                                                                                            SHA-256:530882D7F535AE57A4906CA735B119C9E36480CBB780C7E8AD37C9C8FDF3D9B1
                                                                                                                                                                                                                            SHA-512:BF3F92F5023F0FBAD88526D919252A98DB6D167E9CA3E15B94F7D71DED38A2CFB0409F57EF24708284DDD965BDA2D3207CD99C008B1C9C8C93705FD66AC86360
                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                            Preview:{. "manifest_version": 2,. "name": "trustToken",. "version": "2025.1.17.1".}

                                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                            Entropy (8bit):5.278604351459561
                                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                            File name:imagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                            File size:1'112'576 bytes
                                                                                                                                                                                                                            MD5:352c3764bb9f59d7b21cab61930be003
                                                                                                                                                                                                                            SHA1:58a5f679d05c4d845ba83bd326d58b4223f76b6a
                                                                                                                                                                                                                            SHA256:252adea6ee9da3c00b53667295d5ce774e827f3c5d5f300d223c71c202d18c16
                                                                                                                                                                                                                            SHA512:393e087d04ae6f452dc817f2521436170e319e4f930b43614feb2b18769baeb45529b3440ee6c40c44330f7ad9463b572d39af7420749ed0756a3011d60536c8
                                                                                                                                                                                                                            SSDEEP:12288:ug1uvhU8teOHpd+v6elhuScWfpHsajWu4sAnUe05REVkhH6:F0vuwVcuSzsajWu4sAnUeKH6
                                                                                                                                                                                                                            TLSH:DF352D23F64FEAA1C1545FF3EE9B0C0053A8E6817717D65FB9CA236A18437BA9D41207
                                                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................>.... ... ....@.. .......................`............`................................

                                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                                            Icon Hash:20600f130303dc2a

                                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Entrypoint:0x51003e
                                                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                            Time Stamp:0x67D1109F [Wed Mar 12 04:42:07 2025 UTC]
                                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x10fff00x4b.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x13e8.rsrc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1140000xc.reloc
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                            Sections

                                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                            .text0x20000x10e0440x10e2001329329c1f338086e17d9ffd05521bb1False0.37042493347987043data5.272284190079922IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .rsrc0x1120000x13e80x140078d29247b980b49626680cf147ac4e03False0.3810546875data5.165273387331379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                            .reloc0x1140000xc0x2001b26fe84c0b480855879b363fea6489aFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                            Resources

                                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                            RT_ICON0x1121300xca8Device independent bitmap graphic, 24 x 64 x 32, image size 3072, resolution 5669 x 5669 px/m0.3506172839506173
                                                                                                                                                                                                                            RT_GROUP_ICON0x112dd80x14data1.15
                                                                                                                                                                                                                            RT_VERSION0x112dec0x410data0.39134615384615384
                                                                                                                                                                                                                            RT_MANIFEST0x1131fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                            Imports

                                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                                                                            Version Infos

                                                                                                                                                                                                                            DescriptionData
                                                                                                                                                                                                                            Translation0x0000 0x04b0
                                                                                                                                                                                                                            CommentsGoogle Chrome
                                                                                                                                                                                                                            CompanyNameGoogle LLC
                                                                                                                                                                                                                            FileDescriptionGoogle Chrome
                                                                                                                                                                                                                            FileVersion133.0.6943.54
                                                                                                                                                                                                                            InternalNameimagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                            LegalCopyrightCopyright 2025 Google LLC. All rights reserved.
                                                                                                                                                                                                                            LegalTrademarks
                                                                                                                                                                                                                            OriginalFilenameimagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                            ProductNameGoogle Chrome
                                                                                                                                                                                                                            ProductVersion133.0.6943.54
                                                                                                                                                                                                                            Assembly Version133.0.6943.54

                                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                                            No network behavior found

                                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                                            Start time:08:13:42
                                                                                                                                                                                                                            Start date:17/03/2025
                                                                                                                                                                                                                            Path:C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe"
                                                                                                                                                                                                                            Imagebase:0xf30000
                                                                                                                                                                                                                            File size:1'112'576 bytes
                                                                                                                                                                                                                            MD5 hash:352C3764BB9F59D7B21CAB61930BE003
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1249025627.0000000003474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1294938065.0000000006B20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1281351430.00000000047BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                                            Start time:08:13:46
                                                                                                                                                                                                                            Start date:17/03/2025
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"
                                                                                                                                                                                                                            Imagebase:0xe00000
                                                                                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                                            Start time:08:13:46
                                                                                                                                                                                                                            Start date:17/03/2025
                                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            Imagebase:0x7ff62fc20000
                                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                                            Start time:08:13:46
                                                                                                                                                                                                                            Start date:17/03/2025
                                                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                                                                                                                                            Imagebase:0xbf0000
                                                                                                                                                                                                                            File size:42'064 bytes
                                                                                                                                                                                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                                                            Start time:08:13:48
                                                                                                                                                                                                                            Start date:17/03/2025
                                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1144
                                                                                                                                                                                                                            Imagebase:0x350000
                                                                                                                                                                                                                            File size:483'680 bytes
                                                                                                                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                            Has elevated privileges:false
                                                                                                                                                                                                                            Has administrator privileges:false
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                                            Start time:08:13:48
                                                                                                                                                                                                                            Start date:17/03/2025
                                                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/
                                                                                                                                                                                                                            Imagebase:0x7ff786830000
                                                                                                                                                                                                                            File size:3'388'000 bytes
                                                                                                                                                                                                                            MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                            General

                                                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                                                            Start time:08:13:48
                                                                                                                                                                                                                            Start date:17/03/2025
                                                                                                                                                                                                                            Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                                            Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1892,i,3081667511989857361,15125524406106775601,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2024 /prefetch:3
                                                                                                                                                                                                                            Imagebase:0x7ff786830000
                                                                                                                                                                                                                            File size:3'388'000 bytes
                                                                                                                                                                                                                            MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 07400E10 Relevance: 3.1, Strings: 2, Instructions: 607COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1300106364.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_73b0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: fq$8
                                                                                                                                                                                                                              • API String ID: 0-1651916650
                                                                                                                                                                                                                              • Opcode ID: 35c6e4cd05355f7efbf75b1a43f78bae7cd71a11f394929579dca7b068dff391
                                                                                                                                                                                                                              • Instruction ID: 24481bcfd3696858a30595e83bb019976bb4133e325cd995163630e09629c242
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 35c6e4cd05355f7efbf75b1a43f78bae7cd71a11f394929579dca7b068dff391
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8F52D675D012298FDBA4DF69CC50AD9B7B6FF89300F1086AAD509A7354DB30AE85CF90
                                                                                                                                                                                                                              Function 0736F900 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: Dq
                                                                                                                                                                                                                              • API String ID: 0-144822681
                                                                                                                                                                                                                              • Opcode ID: 6cb210b37389c11424928c0fdddd9f2297ece7342d15984cf08076df0e939bcd
                                                                                                                                                                                                                              • Instruction ID: 512f6f7619a598f443d982547ea6e6ece26d10d15ce12a5e0e2a950f7330d971
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6cb210b37389c11424928c0fdddd9f2297ece7342d15984cf08076df0e939bcd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 12D1AFB4A00219CFDB54DFA9D894B9DBBB2FF89300F1081A9D409AB365DB35AD85CF50
                                                                                                                                                                                                                              Function 0736F648 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 914a48c4b88d05d2fc4ad4fc4980d4b34b7739325a8e395eb15ee1013d964e4d
                                                                                                                                                                                                                              • Instruction ID: 0a148682880f19158bd8f9a93c721843502f5b2ec6771bb2c2d460510ca95f06
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 914a48c4b88d05d2fc4ad4fc4980d4b34b7739325a8e395eb15ee1013d964e4d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32514AB4E1520ACBDB04CFA9D9856AEBBF6FF88300F24C129D409E7354D734A941CB95
                                                                                                                                                                                                                              Function 07350F2C Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: !
                                                                                                                                                                                                                              • API String ID: 0-2657877971
                                                                                                                                                                                                                              • Opcode ID: 74eb63a30f5397f0e25e7aaab9df8c57eaf8da7e9fa8695f7a215a775c3a9f8f
                                                                                                                                                                                                                              • Instruction ID: d47ed3391b74829f44967c1a4e0674e60ef0c0746af3321f7df8dd9a471c4015
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 74eb63a30f5397f0e25e7aaab9df8c57eaf8da7e9fa8695f7a215a775c3a9f8f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D1159B491412ACFEB69CF64C888BEAB3B9FB09304F0195E6950DA3640D7745EC4CF22
                                                                                                                                                                                                                              Function 073502B4 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: }
                                                                                                                                                                                                                              • API String ID: 0-4239843852
                                                                                                                                                                                                                              • Opcode ID: daa91b697e6f46213fd220bcf261260cbebfbb80881095d620f21b218edf15de
                                                                                                                                                                                                                              • Instruction ID: e85f1010eec4bc66f01ea2a7e8c5e9ddd46fc2d66a8793daba760f66b7e537b9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: daa91b697e6f46213fd220bcf261260cbebfbb80881095d620f21b218edf15de
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B9014878A022588FC715DF18DD98B9AB3B6FB88305F1091D8950DA7784CA356E81CF41
                                                                                                                                                                                                                              Function 01672BB4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 3b738022dcfb45b7d71d2363d21b3646c9e3f34c0040c1de91d68796bd73ab8f
                                                                                                                                                                                                                              • Instruction ID: 94fca1d108f8d2eac1b87dc966a1c71cb8dd17987c21864de30c8a215cac2417
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b738022dcfb45b7d71d2363d21b3646c9e3f34c0040c1de91d68796bd73ab8f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1515B35A04504CFDB54CF68DC68BA977F2FB88310F199469E9029B7A6CB74AC81CF40
                                                                                                                                                                                                                              Function 07369B90 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 1f9636a140fc77ec159875c7ae827107be45ba07df7f34c8f583182881b93ceb
                                                                                                                                                                                                                              • Instruction ID: aaf38527279e8fb9978769f5ea6e5b5bfc2f8f9d6a667eef49ee247b0fc71896
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f9636a140fc77ec159875c7ae827107be45ba07df7f34c8f583182881b93ceb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2951E5B4D04219CFEB04DFA9D8587EEBBBAFB89300F10902AD409A7358DB746945CF55
                                                                                                                                                                                                                              Function 01672BC0 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 66b35fe3e16502aa761a1909a8538958bcd966e31c2f69b3816d1d06224ff81a
                                                                                                                                                                                                                              • Instruction ID: 71b531ed663e886bb7ed5286c880a9ca3a82cefb98ba7398b10a88670566899c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 66b35fe3e16502aa761a1909a8538958bcd966e31c2f69b3816d1d06224ff81a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED515835A04504CFD754CF69DC68BA977F2FB8C310F28A469E9029B7A6CB74AC81CB50
                                                                                                                                                                                                                              Function 0736F398 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: eb97215fd52dc72fdccf89b86f0f975f0ebf184c7bca805e49b4aa06c4fc1621
                                                                                                                                                                                                                              • Instruction ID: 7368d3c0c619b4177107f1a5c4d842160619799fa11c9d2287b1e495c34fc9e3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: eb97215fd52dc72fdccf89b86f0f975f0ebf184c7bca805e49b4aa06c4fc1621
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: A75126B4E0120A9FDB44DFA9E844AAEB7B6FF89301F20D029D419A7394DB796D01CF50
                                                                                                                                                                                                                              Function 01671852 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: fec91e814b97250bf5849910e4d9510af7a86e35d7efaf472b380b79d5948017
                                                                                                                                                                                                                              • Instruction ID: 38a557941f89e504282165616b0ac460fe95c8f798cfd304f0c4826e9dc83294
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fec91e814b97250bf5849910e4d9510af7a86e35d7efaf472b380b79d5948017
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2B41B030B002048FDB59DB69D8547AD77F3FBCA310F19856AD40AAB3A4DB34AC42CB95
                                                                                                                                                                                                                              Function 016719CD Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 7e43e9b01b8f8c8a447b8218c6ea0d9ddf0eab368e6139c90bcf10e28d7e84ed
                                                                                                                                                                                                                              • Instruction ID: 638ad673ce506361fd715a3c1beb709c38cfe04396e5cbf6e8abc6a90561fa5f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e43e9b01b8f8c8a447b8218c6ea0d9ddf0eab368e6139c90bcf10e28d7e84ed
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 15419F30B006048FDB59DB69D8547AD77F3FB8A310F19846AD4069B3A4DB34AC42CB55
                                                                                                                                                                                                                              Function 01671921 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 6fbc1a04dfe5c37e07fe66dd40961cb1f5b2c0f22f540e8dd4a5795ca9201b0d
                                                                                                                                                                                                                              • Instruction ID: fee8a5bfb3df04bc99cb37b3fd5bb5bf11f236f7caadf4b90b4d4e370d6f7c87
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6fbc1a04dfe5c37e07fe66dd40961cb1f5b2c0f22f540e8dd4a5795ca9201b0d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F318B30B006048FDB55DB29C844BAD77E6FB8A314F1590AAE4069B364DB38AC42CB94
                                                                                                                                                                                                                              Function 0167B580 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 55cc763266e86601a3a119acc73edbe11f019441f6aff64a23581c8d3dee6541
                                                                                                                                                                                                                              • Instruction ID: 9b37a9258fa691db89ca3c4db2c9b26257b0ae5fe738c4b62a84a73e4752ce0d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55cc763266e86601a3a119acc73edbe11f019441f6aff64a23581c8d3dee6541
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C73105B0901209DFEB04DFA9D9487AFBBF2FB48305F2090A9C209A7384D7754A45CF96
                                                                                                                                                                                                                              Function 0161D030 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1247928255.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_161d000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 3b2da7893e21e700d4f74c12e31af653784749cf1644dc59d9d79f1bc56a224c
                                                                                                                                                                                                                              • Instruction ID: aaebcc67b0367a7707d04b492740447ebaf1439470c6b9f1d3a5ebd3c1192ba9
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b2da7893e21e700d4f74c12e31af653784749cf1644dc59d9d79f1bc56a224c
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE212272504240DFDB15DF54EDC8B26BBA5FB84311F28C16DE8090B24AC336D817CBA2
                                                                                                                                                                                                                              Function 0161D006 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1247928255.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_161d000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 8a85c3d0510e59b6ae6c0929dc213657d47352aeb4ca3996fdabb842a6b6fe00
                                                                                                                                                                                                                              • Instruction ID: aade9416be5f33b29713ed06972f87f74ebc283cdaeecd024cccd14bae88b06c
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8a85c3d0510e59b6ae6c0929dc213657d47352aeb4ca3996fdabb842a6b6fe00
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F215A710093C09FDB03CF64D994716BF71EB46210F2981DBD8848F2A7C33A981ACBA2
                                                                                                                                                                                                                              Function 07352A8F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: aa1ed261cf3128d4031578aef315babdf11bebc870edcd825118e03617cb689f
                                                                                                                                                                                                                              • Instruction ID: c563d62a27368eb2deabe59acc7dd7242c53ddcd3c80cce93677358e4187f2dd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: aa1ed261cf3128d4031578aef315babdf11bebc870edcd825118e03617cb689f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3E31A478A002298FEB65CF28C994E99B7B2FB48310F1182E9D90DA7355DB309E85CF50
                                                                                                                                                                                                                              Function 0735309C Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 09bb8d217aa1497f854751e9d1e29e51e456c89b12f5ad85c84f8b226ed2e8b4
                                                                                                                                                                                                                              • Instruction ID: 33a42666fee60049d583ef68585180cc1ab7a954f25bd92af8728971f3ae9acf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 09bb8d217aa1497f854751e9d1e29e51e456c89b12f5ad85c84f8b226ed2e8b4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EA11F778A412688FDB64DF68C998A9EB7F6FB48310F1046EAD509A7344DB309E81CF45
                                                                                                                                                                                                                              Function 07350359 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: a0f091b3f0073c7cf039b0bf5a82b3cc1cd948b93926e4e5fa23985be0676f2e
                                                                                                                                                                                                                              • Instruction ID: cb31dd6a671a5bc96feedb3fa5d6206ed570e908d77bbd5f16ec521448117e47
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0f091b3f0073c7cf039b0bf5a82b3cc1cd948b93926e4e5fa23985be0676f2e
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4A0193B8A012698FDB24CF28D984B9AB7F1FB49310F1155E9D80DABB44D670AEC1CF41
                                                                                                                                                                                                                              Function 01670860 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 65259f903bc91f5623ea4fd0f8009e09f5c71c6a6c706e89d36cc01d9195d7f1
                                                                                                                                                                                                                              • Instruction ID: 8f24d264a74040e823b2cc4ad154645fa9225ef7977b8f3955d22190d93ee4b7
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 65259f903bc91f5623ea4fd0f8009e09f5c71c6a6c706e89d36cc01d9195d7f1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 80E052315CD3925FC7474AA89CA50D87FA2998727030E82E79441DBEA3D25D8857C761
                                                                                                                                                                                                                              Function 073523B2 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 3b3e7a59097413f5166f03037b918c07f7c94481112d76846626a1dac91529a1
                                                                                                                                                                                                                              • Instruction ID: 5cc210f68d165b7f1c9759c9b86c797eaed5286bf29edf680568dbc3cf613671
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b3e7a59097413f5166f03037b918c07f7c94481112d76846626a1dac91529a1
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4E01C874E052188FDB29DF28C994A9EB7F6FB48200F1185D5D90DA7354C634BE85CF51
                                                                                                                                                                                                                              Function 016717E8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 0960e264c70037f8e78997e474e1ec4cfa96a9f51f0862b4dd5335855ec5dbab
                                                                                                                                                                                                                              • Instruction ID: a5276b1cba9852986d75f3466b727632d9d9a808677fff94ee3fba547745fd03
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0960e264c70037f8e78997e474e1ec4cfa96a9f51f0862b4dd5335855ec5dbab
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3DF05E30E01208CFC780DFA8D84426E7BF5FB4A311F1091ABD806D3621D7349811CF81
                                                                                                                                                                                                                              Function 07352D27 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 9cf3c41cd56b31fc712f9234831bf51fb74643d74ea7e80d39ccbef3f7eec99a
                                                                                                                                                                                                                              • Instruction ID: 41b505e17ea27f5c2567aca3c8e4bc7a35f51d4e2e7fa3cc7523b4f76e13258a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9cf3c41cd56b31fc712f9234831bf51fb74643d74ea7e80d39ccbef3f7eec99a
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 55F06D74D0415ACFEB658F64C848BA977B6FB08305F1145E4C41D97A80D7B96AC98F42
                                                                                                                                                                                                                              Function 0736BF38 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 0f097b0ee48a328ddd44d952ae5ea86765dc2d693f01a7a18a705652d04a6abd
                                                                                                                                                                                                                              • Instruction ID: fe20717ee93ef06203ae03d985c01cb36d2d9d99da72ed14e0c955bf78e651cf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0f097b0ee48a328ddd44d952ae5ea86765dc2d693f01a7a18a705652d04a6abd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 37E0C2B5E05208EFDB44DFA8D944AACFBF8EB59300F20C0AA980CE7355D6319A55DF84
                                                                                                                                                                                                                              Function 0736A540 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 0f097b0ee48a328ddd44d952ae5ea86765dc2d693f01a7a18a705652d04a6abd
                                                                                                                                                                                                                              • Instruction ID: 8661fea3605c5166880a0fab5641048c0debb17d8f5549daa1fe6248ac621f65
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0f097b0ee48a328ddd44d952ae5ea86765dc2d693f01a7a18a705652d04a6abd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 90E0C2B4E04208EFDB84DFA8D944AACBBF8EB49300F10C0AA9958A3355D6319A55DF84
                                                                                                                                                                                                                              Function 07365CC0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 0f097b0ee48a328ddd44d952ae5ea86765dc2d693f01a7a18a705652d04a6abd
                                                                                                                                                                                                                              • Instruction ID: e364da5f7c50507588e7b4c488bf2c77fcef86968cd20dd9cdbb277bcf4ae451
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0f097b0ee48a328ddd44d952ae5ea86765dc2d693f01a7a18a705652d04a6abd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: FAE0C9B4D04208EFDB44DFA8D94469CBBF8FB49300F10C1AA9858A3345D6319A55DF54
                                                                                                                                                                                                                              Function 07369B40 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: c7227283a44eb1d95805debf55f9aa255e13918f5d9bb542440575b8acb9ad16
                                                                                                                                                                                                                              • Instruction ID: 20a8f1f4848e62fadd88436936254c3c54876afd950f0231764834c06db7c62a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7227283a44eb1d95805debf55f9aa255e13918f5d9bb542440575b8acb9ad16
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E3E0E5B4E04208EFDB84DFA8D9446ACFBF8EB49200F10C0AE881C93345D631AA16DF44
                                                                                                                                                                                                                              Function 0736F8B0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: c7227283a44eb1d95805debf55f9aa255e13918f5d9bb542440575b8acb9ad16
                                                                                                                                                                                                                              • Instruction ID: 165c508d99fee41f4950a450af65417f5bb4a15d2655430bac0b72d334db7925
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7227283a44eb1d95805debf55f9aa255e13918f5d9bb542440575b8acb9ad16
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67E0E5B4E04208EFDB84DFA8D9446ACBBF8EB49300F10C0EA881CA3345D7359A15CF44
                                                                                                                                                                                                                              Function 016717F8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 8f17724d45d66dc0835b18c35f9dbabe06e158296c874ecada2b4fcd185770b7
                                                                                                                                                                                                                              • Instruction ID: c96f682bb4b741d1ff8625da348d3c9945648a93f96611141e06bdd931ca427e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f17724d45d66dc0835b18c35f9dbabe06e158296c874ecada2b4fcd185770b7
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3AE0C270E052488FC740EF68DC4466EBBF5FB4A301F1555AAD80AE3260E734A9518B82
                                                                                                                                                                                                                              Function 07368B98 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 428ff4dc6f53f58fe9b283ea62257155da73867093368140d6b27351b1da80f3
                                                                                                                                                                                                                              • Instruction ID: fb43c71e8dd93eefdef04d6e0c076b4a44e97127b36633dddc69a8b07fa90e4d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 428ff4dc6f53f58fe9b283ea62257155da73867093368140d6b27351b1da80f3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52E04FB4D04208EFDB04DF99D5446ACFBB8EB49200F14C0EEC84853345CA359A45DF85
                                                                                                                                                                                                                              Function 0167F7C8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: abe167faa0ab87267315889d0d354f8e2b00685eb9889588330719a7b7f09cbe
                                                                                                                                                                                                                              • Instruction ID: e2556b30075617eef2d2250d0807fac1b1f7b9009895435ad98f192741ca024e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: abe167faa0ab87267315889d0d354f8e2b00685eb9889588330719a7b7f09cbe
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32E0C271801208FFE740EFB0D90869EB7BDEB05200F0004E9D109D3210EF314A189B95
                                                                                                                                                                                                                              Function 0736DF70 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e9de059c85fd361062db54aa50e225566ae338dde264364e9c96c2a07923cac3
                                                                                                                                                                                                                              • Instruction ID: 69bf7a739613f5507dcd6e1028717c4d02b12572b1801fecb9dde4156e232b7a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e9de059c85fd361062db54aa50e225566ae338dde264364e9c96c2a07923cac3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FE012B4A19208EBDB04DF94D945A6CBBBCEB86304F14D1ADD80C17389CB319E56DF85
                                                                                                                                                                                                                              Function 0736B3F8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 0ea909fe5846f93431467552e560de13f8f007560f8956ac7d3bd4b74a82169f
                                                                                                                                                                                                                              • Instruction ID: ef7b249dfceb199b29d904b137cb13e686234d2d2fb9b94ace642b827062442e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ea909fe5846f93431467552e560de13f8f007560f8956ac7d3bd4b74a82169f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 21E012B184220CFBE795FFF5890869EB7EC9B46100F5044FAD50997150EE325A149B99
                                                                                                                                                                                                                              Function 0736E098 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e9de059c85fd361062db54aa50e225566ae338dde264364e9c96c2a07923cac3
                                                                                                                                                                                                                              • Instruction ID: 4ddcb16b29943508a7ce808a62aff222aaf9f22d9517a4e7b044273b47def6e2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e9de059c85fd361062db54aa50e225566ae338dde264364e9c96c2a07923cac3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 57E08CB8948208EBDB04EF94D94456CBBBCBB46304F10C0ADC80813385CA329E4ACB86
                                                                                                                                                                                                                              Function 01671071 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: fc8371d350bba1eb2026ecbf8cad1931ac5352f0bb8416486762444564bafaea
                                                                                                                                                                                                                              • Instruction ID: 67d3700793d479ae1401f9d5cd9bd40b232a0d6f957cb2334c1f28552a93f78a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: fc8371d350bba1eb2026ecbf8cad1931ac5352f0bb8416486762444564bafaea
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: E5D0A731901411CFEF68AB25DC0426E7335BB4B312B999BB9DA135B248CB249D098BA6
                                                                                                                                                                                                                              Function 0167F608 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e19008af5bce041a1451e94dff48d8952d561fe100e1eab38b7edfb58f9398d0
                                                                                                                                                                                                                              • Instruction ID: b5181cb028497cebfa0feab79d4588d7c7e830064f3607d1cdab4d6fcd9ba2b1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e19008af5bce041a1451e94dff48d8952d561fe100e1eab38b7edfb58f9398d0
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 52C08C3008020982FB98BBF46C0C728329EAB02109F442068D21C010509F615098CB6F
                                                                                                                                                                                                                              Function 01670890 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 880fe8f071b8c8beb8e1ae0192764bacc33c3ba033b59f6a244062afe81f8ea5
                                                                                                                                                                                                                              • Instruction ID: 4815ee3fd87487aa4fba2d03f6e47c08b78fa219d27fd64d331a56d2a7d926cb
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 880fe8f071b8c8beb8e1ae0192764bacc33c3ba033b59f6a244062afe81f8ea5
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3E90023104474C8F465037997D4D555B75D95895157881052A50E455059A5564204A95

                                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                                              Function 0167B6E0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: 4'q$4'q
                                                                                                                                                                                                                              • API String ID: 0-1467158625
                                                                                                                                                                                                                              • Opcode ID: dd061ce097f1644e1463c3abf60fffa4439d08627c1a72b18baf129463432912
                                                                                                                                                                                                                              • Instruction ID: 1431d27f1fc83bc05588efa7923f7aeb8e35db2852c5cc2b9a9bcaf4d913564b
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dd061ce097f1644e1463c3abf60fffa4439d08627c1a72b18baf129463432912
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F714C70D026558FE718DFAAEC4565EBBF7FBC8300F18D02AD005AB365EA342816CB51
                                                                                                                                                                                                                              Function 073B6E5B Relevance: 1.6, Instructions: 1600COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, Offset: 073B0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1300106364.0000000007400000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_73b0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: b13db0913b37791ec3c5966d9f43b4828c87dfbedb3210be923f6386e2b78db8
                                                                                                                                                                                                                              • Instruction ID: 43d5e60238aa3d3924413dfed4818d4f199259ef97606a22d51ad0cb42e842ed
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b13db0913b37791ec3c5966d9f43b4828c87dfbedb3210be923f6386e2b78db8
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: EAC289A241E3C25FE3234B749DB66E17FB5EEA321471E04DBD0C58F863E218594AC762
                                                                                                                                                                                                                              Function 0736E0D8 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1299671417.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_7350000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 4afeaa22234136906381ab3fb39ae6b6fa8b036a1d3f59785e56c40cdae01a9f
                                                                                                                                                                                                                              • Instruction ID: 521dfbbb8801c69db958f37932c06f5c2e116b8d76e9f8eb25156572cd1f5be2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4afeaa22234136906381ab3fb39ae6b6fa8b036a1d3f59785e56c40cdae01a9f
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A91E8F8E45218CFEB64DFA5C84879DBBB6BF4A304F1490A9D00DAB684DB745989CF01
                                                                                                                                                                                                                              Function 0167C070 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1248136704.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_1670000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: a03a953032c623bfd7bd94b06f7cb969615ff1c165e3344f55336b6296234847
                                                                                                                                                                                                                              • Instruction ID: 7a997dc2fcc228ea57d8145e6357cfca65ec91ddbe40133844668800714cdaf1
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a03a953032c623bfd7bd94b06f7cb969615ff1c165e3344f55336b6296234847
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 724186B0D01628CBEB68CF6ADD4879AFAF6BF89304F14C1A9C40CA7255DB750A85DF41
                                                                                                                                                                                                                              Function 07402890 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000000.00000002.1300106364.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: true
                                                                                                                                                                                                                              • Associated: 00000000.00000002.1299907213.00000000073B0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_73b0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 5e57a2eea111737c920250f50644bfd52a7126c5f63b4a76c195f7825dd1f661
                                                                                                                                                                                                                              • Instruction ID: 58ee92581e2f663214e8165a5985ceef4f5c18aa9fe00a4d4d8351159f90f2c2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e57a2eea111737c920250f50644bfd52a7126c5f63b4a76c195f7825dd1f661
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8721FEB5D102189FDB14CFA9D884AEEFBF4FB4A310F10942AE805B7250C775A906CFA4

                                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                                              Function 01592380 Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: Dq
                                                                                                                                                                                                                              • API String ID: 0-144822681
                                                                                                                                                                                                                              • Opcode ID: c705c5c3acabf580d5fa69226e9e132a4c308a6abb11ae60a1061334431aa551
                                                                                                                                                                                                                              • Instruction ID: ede92eac0e391838279e4478d100d0921357527e8cb991ab5ad1f94ed0038bef
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c705c5c3acabf580d5fa69226e9e132a4c308a6abb11ae60a1061334431aa551
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 18D1AD35A003059FDB59DF68D494AA9BBB2FF84320B1581AED4459F3A5CB35EC42CB82
                                                                                                                                                                                                                              Function 01591C42 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: Teq
                                                                                                                                                                                                                              • API String ID: 0-1098410595
                                                                                                                                                                                                                              • Opcode ID: b126f564c2c30c68d18a00e880379d07ae9d5f11834b4a6d47374c6dc5b39a62
                                                                                                                                                                                                                              • Instruction ID: 70195c33ad8cfd59feb059ee430128a145a60a9d493f468da599c7a88a48bb22
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: b126f564c2c30c68d18a00e880379d07ae9d5f11834b4a6d47374c6dc5b39a62
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C6B1AC34A00516DFDB54CF29D998BA977F3FB88720F1A84A5E1068F3A9CB319C81CB51
                                                                                                                                                                                                                              Function 01592370 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Strings
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID: Dq
                                                                                                                                                                                                                              • API String ID: 0-144822681
                                                                                                                                                                                                                              • Opcode ID: 44208c4fddb3cf92601f1f70ed65736ae35293770a83b5959d07e30385c095d9
                                                                                                                                                                                                                              • Instruction ID: d15a70cd0599c45244ba8cb7609ed6bb583d5ad3d7f02e2757904720ca2569f0
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44208c4fddb3cf92601f1f70ed65736ae35293770a83b5959d07e30385c095d9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F617B75A00615AFCB15EF29D494A59BBF2BF88310F1581A9E406EF3A5DB30EC41CF91
                                                                                                                                                                                                                              Function 01591760 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 849782887d8c8ecacba709e1384250dca1c95da7ea26015262dfb9365ab4c2ff
                                                                                                                                                                                                                              • Instruction ID: 1e75283af1cddf9466f8b51ad51435b9f5aa89df0b10351a7834c7b769a65dcd
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 849782887d8c8ecacba709e1384250dca1c95da7ea26015262dfb9365ab4c2ff
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A518E34B00917CFDB64DB28D988BAE37E2FB88320F158565D1169F395CB359C819B92
                                                                                                                                                                                                                              Function 01591731 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 2aaa472b659b3c790382451390b07fb322bcfb7f6239e5322b99d4a8ae9ffca9
                                                                                                                                                                                                                              • Instruction ID: 808c5bd5e911d2f606c6c372783eb0658031119e9650e9317ade2984f1d0e280
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2aaa472b659b3c790382451390b07fb322bcfb7f6239e5322b99d4a8ae9ffca9
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B519034B00517CFDB658B28D898BAD3BE2BB89324F194565D102DF7A5CB358C41CB56
                                                                                                                                                                                                                              Function 0159568F Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: cae3542cfd86213a78e05408cac6834ad5f5b0f560b1bee67170d58aad725574
                                                                                                                                                                                                                              • Instruction ID: 995d8744e842528c12e68b6f9f41a6e8b29e6b4abe62118e80a0096a8a40f6d2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cae3542cfd86213a78e05408cac6834ad5f5b0f560b1bee67170d58aad725574
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 47319D34919244DFDB02DFA8D4486AC7FF0FF0A354F5540EAC405CB656E6785984CB62
                                                                                                                                                                                                                              Function 012AD3B4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442314978.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_12ad000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 544fdf60428920711f450fe30fe5fabc63670fb919e4b2cb73696388b6bec196
                                                                                                                                                                                                                              • Instruction ID: 5f8d9000f1877b2d11cef84cbeb2412036d8e2e12488d09cd95efac110010a55
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 544fdf60428920711f450fe30fe5fabc63670fb919e4b2cb73696388b6bec196
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CC2145B1520348DFEB05DF94D8C0B56BF61FB84314F60C5A9E9090BA46C336E456CBA2
                                                                                                                                                                                                                              Function 01591AD8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 86d190e56d9aa30ba68d8cc7081ebc3eb35cf646bfc46ba58cf56cf186a1ae5d
                                                                                                                                                                                                                              • Instruction ID: 4d7d0549b3a358bfeccaffa9e685b48d9ccdfdf37d7284cc918f560bb784bbe8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 86d190e56d9aa30ba68d8cc7081ebc3eb35cf646bfc46ba58cf56cf186a1ae5d
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0F11E2317005268FDB518B7DE4947A67BE7FBC5730F1A40B6D109CB329DAB48842C792
                                                                                                                                                                                                                              Function 01591660 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 893b81162d342d435de60e30afd334a04388b75c099a9b3f799229e3f58f49f4
                                                                                                                                                                                                                              • Instruction ID: fb113bea311853cec2d0d669c0a1aea6e3c5cf7b9f1ac3df1b139c5c8f51455e
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 893b81162d342d435de60e30afd334a04388b75c099a9b3f799229e3f58f49f4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B4214770D0924AEFCB42DFB9D59468CBFF1AF8A300F2880EAC044DB666D3355A44CB42
                                                                                                                                                                                                                              Function 015956EF Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 5b71d79af81954c9143274cdda42c48815ab45879458fb7931911c9c39d003ee
                                                                                                                                                                                                                              • Instruction ID: cc1108cd7d0da05b0e1227142e9a4055077e368e51e1028ac0daf03b8bad2b2d
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b71d79af81954c9143274cdda42c48815ab45879458fb7931911c9c39d003ee
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95219374914204DFEB11DFA8D0883ACBFF1FB45385F5480AAC4059B744E7785695CF62
                                                                                                                                                                                                                              Function 012AD3AF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442314978.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_12ad000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: a0ffab5f0a75abba76e46da30f4106ab1a9b5d88ed3f9b00d643379fe76b32b3
                                                                                                                                                                                                                              • Instruction ID: 4e2c22bfff1fc0e9973e1ad71547a55ccea2bec732e24688aa504bd6fee0a63a
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0ffab5f0a75abba76e46da30f4106ab1a9b5d88ed3f9b00d643379fe76b32b3
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5112676404284CFDB06CF54D5C0B56BF71FB84314F24C5A9D9090B657C336E456CBA1
                                                                                                                                                                                                                              Function 01591BA0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: dec902fb026d87950332450b78b4907975d5ad7525aa983e40cf4b6dba1fc5fb
                                                                                                                                                                                                                              • Instruction ID: 19f617dcc949beb3d101a791e1fe4d61b4ce79cf72a6e835d8fff08c3b143ba3
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: dec902fb026d87950332450b78b4907975d5ad7525aa983e40cf4b6dba1fc5fb
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C11ED342016218FDB11CB39E888B557BE7FB86321F0582BAD005CB665D231AC41CB51
                                                                                                                                                                                                                              Function 01595700 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 7c98b82923861138dbb7324126b102716d3e544a6060be5908d991b1b9945178
                                                                                                                                                                                                                              • Instruction ID: 71ad12824e1898fac73c21e1a01d46a8c0c302f94666e3874385c5f2ea83bc11
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c98b82923861138dbb7324126b102716d3e544a6060be5908d991b1b9945178
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE116D74914108DFEB02DFA8D0883ADBBF5FB44385F9480AAC4099B748E7784A94CF62
                                                                                                                                                                                                                              Function 01591BB0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: cb321c775e58e6a8e94b9020fb06044855fe490f89ba72c26f099c64a85af719
                                                                                                                                                                                                                              • Instruction ID: 301bf1521f9174315125dd334f4081045e444b8e92690f585c3591e88487775f
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: cb321c775e58e6a8e94b9020fb06044855fe490f89ba72c26f099c64a85af719
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4801D135701825CFDB60CB29E488B59B3EBFBC4731F0585BAE00ACB654D7719C418B81
                                                                                                                                                                                                                              Function 01591688 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 8ce865fc8035b2ff693e2aae70517cf3c4231dca695c91096f50d62e929be136
                                                                                                                                                                                                                              • Instruction ID: 829097ab7209b69a691a88409aa406beb96c3fc593511abf90c657fcb9a476f2
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8ce865fc8035b2ff693e2aae70517cf3c4231dca695c91096f50d62e929be136
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 58112970D0561EEFDF44EFA9D58469CBBF5FB84311F6484AAC408AB614E7305A848F82
                                                                                                                                                                                                                              Function 01590942 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: a7a2c2fce68538dc73778fbbf1fbd6b68de3ba0ae2fbec1ab0d5bd760c292aa4
                                                                                                                                                                                                                              • Instruction ID: dd1fee3919ef0220dc52a2736288f32226b437fac63c38fe27615a034a5aaaad
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: a7a2c2fce68538dc73778fbbf1fbd6b68de3ba0ae2fbec1ab0d5bd760c292aa4
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E01C031900241CFEB11DF2AE888944BBF8FF0870470A49AAE94A9F25AD735A9058F81
                                                                                                                                                                                                                              Function 01592AF6 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: ad8b7ea94be94c8a5bccf59107100651c28f3e38df3a06eb41a9784773df59dd
                                                                                                                                                                                                                              • Instruction ID: 3daac8fd9e98704472d80abfb222377b4b01a164f559fa1b5cd2725028a085da
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad8b7ea94be94c8a5bccf59107100651c28f3e38df3a06eb41a9784773df59dd
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: C8F0173471010AEFDF15DBA8E8849ADB7B2FB49320F148526E512AB3A5CB30DC51CB92
                                                                                                                                                                                                                              Function 01597ECE Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: 076fdb281fa26ad0ca1872c84eec9e4ad645c337ce52785e6db08c3f98823e57
                                                                                                                                                                                                                              • Instruction ID: 36af2b8ec852cc0aff566cc242f5efe7677cb553ab1b86efcfe2f8eb561d6fcf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: 076fdb281fa26ad0ca1872c84eec9e4ad645c337ce52785e6db08c3f98823e57
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9CE09A34A042149FDB69AB75F89C22977EAFB88309F4488A5B50EC6249EFB59D40CB01
                                                                                                                                                                                                                              Function 01591A50 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: ee4769f7661608639056c948a5c8390af74e9a82043274b8c12535c9bbc170ab
                                                                                                                                                                                                                              • Instruction ID: 4753bd94bbba3289129e9f988065f783cbc6ac15b226e88b7199a55bd1f616b5
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee4769f7661608639056c948a5c8390af74e9a82043274b8c12535c9bbc170ab
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: 65E0EC319046854EDF17E734B5DC6553FA0AB57314F0444CAC0418A496DD6A5554C712
                                                                                                                                                                                                                              Function 0159CF50 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: e398e23df09561457db479b90ae41a249c3186c2dace60f16b9a54b8d6aae673
                                                                                                                                                                                                                              • Instruction ID: 698c0066e3f7491ba2a1b72c5fe1f926452624d3bc5edb16a008ff05fb95bbc8
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: e398e23df09561457db479b90ae41a249c3186c2dace60f16b9a54b8d6aae673
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: B4A02230082B0F838B0232B03000022338C288002A3C000BA820C0CA2028BBE0B0828A
                                                                                                                                                                                                                              Function 01590950 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                                              • Source File: 00000004.00000002.2442915697.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                                              • Snapshot File: hcaresult_4_2_1590000_InstallUtil.jbxd
                                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                                              • Opcode ID: c7df17f3099abcbe4a9cdcb8d0bb49be65d68c3f5299d887b29cfd11bfd69bab
                                                                                                                                                                                                                              • Instruction ID: 49b07aeca80994e9b4b0dc11786389edef1b430b007e694c2e74aae031e4efbf
                                                                                                                                                                                                                              • Opcode Fuzzy Hash: c7df17f3099abcbe4a9cdcb8d0bb49be65d68c3f5299d887b29cfd11bfd69bab
                                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB90023144464D8B86903796748D555779CA544E157840151A90E4150A5E59641447D9