Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
imagine_Whatsapp_2025-03-12.img.exe

Overview

General Information

Sample name:imagine_Whatsapp_2025-03-12.img.exe
Analysis ID:1640575
MD5:352c3764bb9f59d7b21cab61930be003
SHA1:58a5f679d05c4d845ba83bd326d58b4223f76b6a
SHA256:252adea6ee9da3c00b53667295d5ce774e827f3c5d5f300d223c71c202d18c16
Tags:exeuser-adrian__luca
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • imagine_Whatsapp_2025-03-12.img.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe" MD5: 352C3764BB9F59D7B21CAB61930BE003)
    • powershell.exe (PID: 6832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chrome.exe (PID: 424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/ MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 5204 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,1785109057841810501,3028122236755377671,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2332 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • InstallUtil.exe (PID: 7048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WerFault.exe (PID: 4016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 8012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.951069315.0000000003B1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.959417545.0000000005E90000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 6524JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 6524JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.imagine_Whatsapp_2025-03-12.img.exe.5e90000.7.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.imagine_Whatsapp_2025-03-12.img.exe.3d12e40.2.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.imagine_Whatsapp_2025-03-12.img.exe.5e90000.7.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.imagine_Whatsapp_2025-03-12.img.exe.3d12e40.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com", CommandLine|base64offset|contains: J, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe", ParentImage: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe, ParentProcessId: 6524, ParentProcessName: imagine_Whatsapp_2025-03-12.img.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com", ProcessId: 6832, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8012, ProcessName: svchost.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: imagine_Whatsapp_2025-03-12.img.exeAvira: detected
                    Multi AV Scanner detection for submitted file
                    Source: imagine_Whatsapp_2025-03-12.img.exeVirustotal: Detection: 50%Perma Link
                    Source: imagine_Whatsapp_2025-03-12.img.exeReversingLabs: Detection: 72%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\LICENSE.txtJump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003721000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: imagine_Whatsapp_2025-03-12.img.exe, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003721000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: ?}oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb6 source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdb:{ source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbX<6 source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000003.00000002.2738018989.00000000056D0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: @}o.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb% source: InstallUtil.exe, 00000003.00000002.2738018989.00000000056D0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdbh source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb{{ source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb` source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb9 source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ((.pdb&s( source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdbNA source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: HPqo8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdb.NET/Framework/v4.0.30319/InstallUtil.exe source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 4x nop then jmp 06972948h0_2_06972890
                    Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
                    Source: svchost.exe, 0000000C.00000002.2735736344.0000021A1F286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: svchost.exe, 0000000C.00000002.2735955051.0000021A1F2F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/
                    Source: svchost.exe, 0000000C.00000002.2734093862.0000021A1A300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoiebnd
                    Source: svchost.exe, 0000000C.00000003.1588660562.0000021A1EFE2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.1748918030.0000021A1EFE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adnnf2xkczyschn5rjlarpymlqwq_2025.3.12.0/
                    Source: svchost.exe, 0000000C.00000003.1995336722.0000021A1EFEC000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2734380984.0000021A1A840000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2735955051.0000021A1F2F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gcmjk
                    Source: svchost.exe, 0000000C.00000002.2735955051.0000021A1F2F2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2581394434.0000021A1A3DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2669446380.0000021A1A3DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2670857628.0000021A1A3DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adrovrpquemobbwthbstjwffhima_2025.1.17.1/
                    Source: svchost.exe, 0000000C.00000002.2732936638.0000021A19C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2252662601.0000021A1EFE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cfdmnf2kygkbopkdq7d3slzfky_20250306.73592
                    Source: svchost.exe, 0000000C.00000002.2735955051.0000021A1F2F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/nei
                    Source: svchost.exe, 0000000C.00000002.2735955051.0000021A1F2F2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2548130694.0000021A1EFE6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2581394434.0000021A1A3DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2669446380.0000021A1A3DE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2670857628.0000021A1A3DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/l7xtcygg3vebugalfkm3b3dp3u_6.7431.9692/pk
                    Source: svchost.exe, 0000000C.00000002.2735736344.0000021A1F264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2735955051.0000021A1F2F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/ac6mhlwypzipnufijdvfyhdgvt4q_67/khaoie
                    Source: svchost.exe, 0000000C.00000002.2735955051.0000021A1F2F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/adp7lmscefogeldj4te6xerqth3a_9.55.0/gc
                    Source: svchost.exe, 0000000C.00000003.1203059152.0000021A1EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: imagine_Whatsapp_2025-03-12.img.exeString found in binary or memory: http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListView
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://2k.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://33across.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://360yield.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://3lift.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://a-mo.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://acxiom.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ad-score.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ad-stir.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ad.gt
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adentifi.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adform.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adingo.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://admatrix.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://admission.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://admixer.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adnami.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adnxs.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adroll.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adsafeprotected.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adscale.de
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adsmeasurement.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adsrvr.org
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adswizz.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adthrive.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://adtrafficquality.google
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://advividnetwork.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://aggregation-service-site-dot-clz200258-datateam-italy.ew.r.appspot.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://akpytela.cz
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://alketech.eu
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://amazon-adsystem.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://aniview.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://anonymised.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://apex-football.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://aphub.ai
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://appconsent.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://appier.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://appsflyer.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://appsflyersdk.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://aqfer.com
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://arborspalet.rs
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.0000000002721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://arborspalet.rs/Hzret.mp4
                    Source: imagine_Whatsapp_2025-03-12.img.exeString found in binary or memory: https://arborspalet.rs/Hzret.mp4YI/KzSqBb0C7dZRHeal
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://atirun.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://atomex.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://audience360.com.au
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://audienceproject.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://authorizedvault.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://avads.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ayads.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://azubiyo.de
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://beaconmax.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://bidswitch.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://bidtheatre.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://blendee.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://bluems.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://boost-web.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://bounceexchange.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://bypass.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://casalemedia.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://cazamba.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://cdn-net.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://clickonometrics.pl
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://connatix.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://connected-stories.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://convertunits.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://coupang.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://cpx.to
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://crcldu.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://creative-serving.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://creativecdn.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://criteo.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ctnsnet.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://d-edgeconnect.media
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://dabbs.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://dailymail.co.uk
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://dailymotion.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://daum.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://deepintent.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://demand.supply
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://display.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://disqus.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://docomo.ne.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://dotdashmeredith.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://dotomi.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://doubleclick.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://doubleverify.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://dreammail.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://dynalyst.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ebayadservices.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ebis.ne.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://edkt.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://elle.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://elnacional.cat
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://eloan.co.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://euleriancdn.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://explorefledge.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ezoic.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://fanbyte.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://fandom.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://finn.no
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://flashtalking.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://fout.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://fwmrm.net
                    Source: svchost.exe, 0000000C.00000003.1203059152.0000021A1F039000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                    Source: svchost.exe, 0000000C.00000003.1203059152.0000021A1EFE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://gama.globo
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://get3rdspace.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://getcapi.co
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://getyourguide.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ghtinc.com
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://globo.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://gmossp-sp.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://gokwik.co
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://google-analytics.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://googleadservices.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://googlesyndication.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://grxchange.gr
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://gsspat.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://gumgum.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://gunosy.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://halcy.de
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://html-load.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://i-mobile.co.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://im-apps.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://impact-ad.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://indexww.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ingereck.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://inmobi.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://innovid.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://iobeya.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://jivox.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://jkforum.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://kargo.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://kidoz.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://kompaspublishing.nl
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ladsp.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://linkedin.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://logly.co.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://lucead.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://lwadm.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://mail.ru
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://media.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://media6degrees.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://mediaintelligence.de
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://mediamath.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://mediavine.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://metro.co.uk
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://microad.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://momento.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://moshimo.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://naver.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://nexxen.tech
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://nhnace.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://nodals.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://onet.pl
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://onetag-sys.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://open-bid.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://openx.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://optable.co
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://outbrain.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://paa-reporting-advertising.amazon
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://payment.goog
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://permutive.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://pinterest.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://postrelease.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://presage.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://primecaster.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-ad-server.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-dsp-a.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-dsp-b.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-dsp-x.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-dsp-y.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-dsp.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-ssp-a.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-ssp-b.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-ssp-x.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-ssp-y.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-demos-ssp.dev
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandbox-test.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-ad-server.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-a1.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-b1.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-x.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-dsp-y.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-dsp.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-a.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-b.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-x.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-ssp-y.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://privacy-sandcastle-dev-ssp.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://ptb-msmt-static-5jyy5ulagq-uc.a.run.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://pub.network
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://pubmatic.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://pubtm.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://quantserve.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://quora.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://r2b2.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://relevant-digital.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://retargetly.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://rubiconproject.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://samplicio.us
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://sascdn.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://seedtag.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://semafor.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://sephora.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://shared-storage-demo-content-producer.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://shared-storage-demo-publisher-a.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://shared-storage-demo-publisher-b.web.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://shinobi.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://shinystat.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://simeola.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://singular.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://sitescout.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://smadexprivacysandbox.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://snapchat.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://socdm.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://sportradarserving.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://stackadapt.com
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://storygize.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://superfine.org
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://t13.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://taboola.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tailtarget.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tamedia.com.tw
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tangooserver.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://teads.tv
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://theryn.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tiktok.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tncid.app
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://toponad.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://torneos.gg
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tpmark.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tribalfusion.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://trip.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://triptease.io
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://trkkn.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://tya-dev.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://uinterbox.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://undertone.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://unrulymedia.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://uol.com.br
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://usemax.de
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://validate.audio
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://verve.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://vg.no
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://vidazoo.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://vpadn.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://washingtonpost.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://weborama-tech.ru
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://weborama.fr
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://wepowerconnections.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://worldhistory.org
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://wp.pl
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://yahoo.co.jp
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://yahoo.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://yelp.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://yieldlab.net
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://yieldmo.com
                    Source: privacy-sandbox-attestations.dat.6.drString found in binary or memory: https://youronlinechoices.eu

                    System Summary

                    barindex
                    .NET source code contains very large array initializations
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3a7c2b0.0.raw.unpack, AQMtL0CEf3uF5L4b1r.csLarge array initialization: XgxcY7lFY: array initializer size 360496
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir424_90204810Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\privacy-sandbox-attestations.datJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir424_2108271574Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\Google.Widevine.CDM.dllJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir424_562832488Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\LICENSE.txtJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\Filtering RulesJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir424_1873504407Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\cr_en-us_500000_index.binJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir424_1260729075Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\history_search_strings_farmhashed.binarypbJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir424_1865217653Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\keys.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\LICENSEJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\manifest.fingerprintJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir424_950020623Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\download_file_types.pbJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\manifest.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\_metadata\Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\_metadata\verified_contents.jsonJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\manifest.fingerprintJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir424_90204810Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_06970E100_2_06970E10
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_06926E5B0_2_06926E5B
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_00D6C0700_2_00D6C070
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_00D6B6E00_2_00D6B6E0
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_066DF6480_2_066DF648
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_066DF9000_2_066DF900
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_066DE0D80_2_066DE0D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D81C413_2_02D81C41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D857F83_2_02D857F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D857E93_2_02D857E9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D820F83_2_02D820F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D820E83_2_02D820E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D84C403_2_02D84C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D81C413_2_02D81C41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D84C3F3_2_02D84C3F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1144
                    Source: imagine_Whatsapp_2025-03-12.img.exeBinary or memory string: OriginalFilename vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.956221699.0000000005810000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUasrluacu.dll" vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.916637432.000000000087E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUasrluacu.dll" vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003721000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.0000000002768000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs imagine_Whatsapp_2025-03-12.img.exe
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: imagine_Whatsapp_2025-03-12.img.exe, OrderedDecider.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3a7c2b0.0.raw.unpack, dWy9wgkc20H6T7Oy8E.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3a7c2b0.0.raw.unpack, dWy9wgkc20H6T7Oy8E.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3a7c2b0.0.raw.unpack, AQMtL0CEf3uF5L4b1r.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: classification engineClassification label: mal100.evad.winEXE@35/51@0/6
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:64:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMutant created: \Sessions\1\BaseNamedObjects\Hfvlk
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyyuzk5n.ryn.ps1Jump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeVirustotal: Detection: 50%
                    Source: imagine_Whatsapp_2025-03-12.img.exeReversingLabs: Detection: 72%
                    Source: imagine_Whatsapp_2025-03-12.img.exeString found in binary or memory: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD></HEAD><BODY><!--StartFragment-->{0}<!--EndFragment--></BODY></HTML>
                    Source: unknownProcess created: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe "C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe"
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1144
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,1785109057841810501,3028122236755377671,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2332 /prefetch:3
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,1785109057841810501,3028122236755377671,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2332 /prefetch:3Jump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic file information: File size 1112576 > 1048576
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10e200
                    Source: imagine_Whatsapp_2025-03-12.img.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003721000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: imagine_Whatsapp_2025-03-12.img.exe, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003721000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: ?}oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb6 source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdb:{ source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbX<6 source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000003.00000002.2738018989.00000000056D0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: @}o.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.pdb% source: InstallUtil.exe, 00000003.00000002.2738018989.00000000056D0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\mscorlib.pdbh source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb{{ source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb` source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb9 source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ((.pdb&s( source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.pdbNA source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: HPqo8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2730654287.0000000000DA8000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: InstallUtil.pdb.NET/Framework/v4.0.30319/InstallUtil.exe source: InstallUtil.exe, 00000003.00000002.2732108069.0000000001340000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3a7c2b0.0.raw.unpack, dWy9wgkc20H6T7Oy8E.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                    .NET source code contains potential unpacker
                    Source: imagine_Whatsapp_2025-03-12.img.exe, ConfigService.cs.Net Code: WatchConfig System.AppDomain.Load(byte[])
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.6500000.8.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.6500000.8.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.6500000.8.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.6500000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.6500000.8.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3779570.4.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Suspicious powershell command line found
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"Jump to behavior
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.5e90000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3d12e40.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.5e90000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3d12e40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.951069315.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.959417545.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 6524, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7048, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_066C6E09 push edi; ret 0_2_066C6E0A
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeCode function: 0_2_066C5952 push edi; ret 0_2_066C5953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 3_2_02D83E02 push cs; ret 3_2_02D83E0F
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3a7c2b0.0.raw.unpack, dWy9wgkc20H6T7Oy8E.csHigh entropy of concatenated method names: 'U7bGoWXMfZ1kBw50CJp', 'gRXWPrX5bFK76qLBQow', 'fpNssM24O7', 'vh0ry9Sq2v', 'aMNs3Dbq6M', 'bY2sMPnD68', 'L05s5bBbHp', 'AUesVbaGwB', 'rjFxZWYqbd', 'Bv8b4ij7j'
                    Source: 0.2.imagine_Whatsapp_2025-03-12.img.exe.3a7c2b0.0.raw.unpack, Y3p91hsQxejMSPRTu0v.csHigh entropy of concatenated method names: 'i2HsehOLVu', 'Q22snSYZGl', 'A7IsR8FxFK', 'AGhsq1HqkN', 'd4Psaco0fP', 'zmAsKnvnyR', 'knNs8c4Fwb', 'invsp4h8ZR', 'r6ysjGD7j9', 'rOAsYgXweO'
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\Google.Widevine.CDM.dllJump to dropped file
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\Google.Widevine.CDM.dllJump to dropped file
                    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\LICENSE.txtJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: imagine_Whatsapp_2025-03-12.img.exe PID: 6524, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: 2720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: 4720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1497Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 489Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7132Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 8064Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: svchost.exe, 0000000C.00000002.2735650283.0000021A1F25B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: svchost.exe, 0000000C.00000002.2732936638.0000021A19C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                    Source: imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.916637432.00000000008B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 46E000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 470000Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: E8E008Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/Jump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeQueries volume information: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		211
                    Process Injection                    		2
                    Masquerading                    		OS Credential Dumping131
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    DLL Side-Loading                    		61
                    Virtualization/Sandbox Evasion                    		Security Account Manager61
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    PowerShell                    		Login HookLogin Hook211
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials42
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    File Deletion                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1640575 Sample: imagine_Whatsapp_2025-03-12... Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AntiVM3 2->47 49 5 other signatures 2->49 8 imagine_Whatsapp_2025-03-12.img.exe 15 3 2->8         started        12 svchost.exe 1 8 2->12         started        process3 dnsIp4 35 185.102.77.35 HOSTING90UPSTREAMconnectivityCZ Czech Republic 8->35 51 Suspicious powershell command line found 8->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->53 55 Writes to foreign memory regions 8->55 57 Injects a PE file into a foreign processes 8->57 14 powershell.exe 23 8->14         started        16 InstallUtil.exe 2 8->16         started        37 127.0.0.1 unknown unknown 12->37 signatures5 process6 process7 18 chrome.exe 58 14->18         started        22 conhost.exe 14->22         started        24 WerFault.exe 4 16->24         started        dnsIp8 31 192.168.2.16 unknown unknown 18->31 33 192.168.2.17 unknown unknown 18->33 29 C:\Windows\...behaviorgraphoogle.Widevine.CDM.dll, PE32+ 18->29 dropped 26 chrome.exe 18->26         started        file9 process10 dnsIp11 39 142.250.185.100 GOOGLEUS United States 26->39 41 1.1.1.1 CLOUDFLARENETUS Australia 26->41

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    imagine_Whatsapp_2025-03-12.img.exe51%VirustotalBrowse
                    imagine_Whatsapp_2025-03-12.img.exe72%ReversingLabsWin32.Trojan.Jalapeno
                    imagine_Whatsapp_2025-03-12.img.exe100%AviraTR/Kryptik.itkfs

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\Google.Widevine.CDM.dll0%ReversingLabs
                    C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\Google.Widevine.CDM.dll0%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://mediavine.comprivacy-sandbox-attestations.dat.6.drfalse
                      		high
                      https://connatix.comprivacy-sandbox-attestations.dat.6.drfalse
                        		high
                        https://yelp.comprivacy-sandbox-attestations.dat.6.drfalse
                          		high
                          https://nodals.ioprivacy-sandbox-attestations.dat.6.drfalse
                            		high
                            https://getyourguide.comprivacy-sandbox-attestations.dat.6.drfalse
                              		high
                              https://mediaintelligence.deprivacy-sandbox-attestations.dat.6.drfalse
                                		high
                                https://privacy-sandcastle-dev-dsp.web.appprivacy-sandbox-attestations.dat.6.drfalse
                                  		high
                                  https://privacy-sandbox-demos-dsp-a.devprivacy-sandbox-attestations.dat.6.drfalse
                                    		high
                                    https://permutive.appprivacy-sandbox-attestations.dat.6.drfalse
                                      		high
                                      https://privacy-sandbox-demos-dsp.devprivacy-sandbox-attestations.dat.6.drfalse
                                        		high
                                        https://adthrive.comprivacy-sandbox-attestations.dat.6.drfalse
                                          		high
                                          https://ad.gtprivacy-sandbox-attestations.dat.6.drfalse
                                            		high
                                            https://gumgum.comprivacy-sandbox-attestations.dat.6.drfalse
                                              		high
                                              https://trkkn.comprivacy-sandbox-attestations.dat.6.drfalse
                                                		high
                                                https://logly.co.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                  		high
                                                  https://media6degrees.comprivacy-sandbox-attestations.dat.6.drfalse
                                                    		high
                                                    https://privacy-sandcastle-dev-ssp.web.appprivacy-sandbox-attestations.dat.6.drfalse
                                                      		high
                                                      https://inmobi.comprivacy-sandbox-attestations.dat.6.drfalse
                                                        		high
                                                        https://33across.comprivacy-sandbox-attestations.dat.6.drfalse
                                                          		high
                                                          https://dreammail.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                            		high
                                                            https://jkforum.netprivacy-sandbox-attestations.dat.6.drfalse
                                                              		high
                                                              https://iobeya.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                		high
                                                                https://a-mo.netprivacy-sandbox-attestations.dat.6.drfalse
                                                                  		high
                                                                  https://ebis.ne.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                    		high
                                                                    https://privacy-sandbox-demos-ssp-y.devprivacy-sandbox-attestations.dat.6.drfalse
                                                                      		high
                                                                      https://aphub.aiprivacy-sandbox-attestations.dat.6.drfalse
                                                                        		high
                                                                        https://gama.globoprivacy-sandbox-attestations.dat.6.drfalse
                                                                          		high
                                                                          https://audienceproject.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                            		high
                                                                            https://adsrvr.orgprivacy-sandbox-attestations.dat.6.drfalse
                                                                              		high
                                                                              https://finn.noprivacy-sandbox-attestations.dat.6.drfalse
                                                                                		high
                                                                                https://lucead.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameimagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.0000000002721000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://verve.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                      		high
                                                                                      https://r2b2.ioprivacy-sandbox-attestations.dat.6.drfalse
                                                                                        		high
                                                                                        https://stackoverflow.com/q/14436606/23354imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://bluems.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                            		high
                                                                                            https://edkt.ioprivacy-sandbox-attestations.dat.6.drfalse
                                                                                              		high
                                                                                              https://atomex.netprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                		high
                                                                                                https://crcldu.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                  		high
                                                                                                  https://rubiconproject.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                    		high
                                                                                                    https://sitescout.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                      		high
                                                                                                      https://apex-football.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                        		high
                                                                                                        https://dotomi.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                          		high
                                                                                                          http://crl.ver)svchost.exe, 0000000C.00000002.2735736344.0000021A1F286000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://ctnsnet.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                              		high
                                                                                                              https://toponad.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                		high
                                                                                                                https://shinobi.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                  		high
                                                                                                                  https://superfine.orgprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                    		high
                                                                                                                    https://360yield.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                      		high
                                                                                                                      https://usemax.deprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                        		high
                                                                                                                        https://display.ioprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                          		high
                                                                                                                          https://adform.netprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                            		high
                                                                                                                            https://eloan.co.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                              		high
                                                                                                                              https://postrelease.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                		high
                                                                                                                                https://aqfer.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                  		high
                                                                                                                                  https://docomo.ne.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                    		high
                                                                                                                                    https://shared-storage-demo-publisher-a.web.appprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                      		high
                                                                                                                                      https://weborama-tech.ruprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                        		high
                                                                                                                                        https://innovid.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                          		high
                                                                                                                                          https://demand.supplyprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                            		high
                                                                                                                                            https://nexxen.techprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                              		high
                                                                                                                                              https://2k.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                		high
                                                                                                                                                https://advividnetwork.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://undertone.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://creative-serving.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://unrulymedia.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://tailtarget.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://paa-reporting-advertising.amazonprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://privacy-sandbox-demos-ssp-b.devprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://bypass.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://dotdashmeredith.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListViewimagine_Whatsapp_2025-03-12.img.exefalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://atirun.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://adingo.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://impact-ad.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://admatrix.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://openx.netprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://taboola.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://ayads.ioprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://i-mobile.co.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://uinterbox.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://mail.ruprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://simeola.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://gmossp-sp.jpprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://primecaster.netprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://privacy-sandcastle-dev-ssp-a.web.appprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://worldhistory.orgprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://stackoverflow.com/q/11564914/23354;imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.959889118.0000000006500000.00000004.08000000.00040000.00000000.sdmp, imagine_Whatsapp_2025-03-12.img.exe, 00000000.00000002.951069315.0000000003779000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://adnxs.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://dabbs.netprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://seedtag.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://casalemedia.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://privacy-sandcastle-dev-dsp-x.web.appprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://authorizedvault.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://privacy-sandcastle-dev-ssp-y.web.appprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://sportradarserving.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://semafor.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://lwadm.comprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://appconsent.ioprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://vg.noprivacy-sandbox-attestations.dat.6.drfalse
                                                                                                                                                                                                                            		high

                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            1.1.1.1
                                                                                                                                                                                                                            		unknownAustralia
                                                                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                            142.250.185.100
                                                                                                                                                                                                                            		unknownUnited States
                                                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                                                            185.102.77.35
                                                                                                                                                                                                                            		unknownCzech Republic
                                                                                                                                                                                                                            		198171HOSTING90UPSTREAMconnectivityCZfalse

                                                                                                                                                                                                                            Private

                                                                                                                                                                                                                            IP
                                                                                                                                                                                                                            192.168.2.17
                                                                                                                                                                                                                            192.168.2.16
                                                                                                                                                                                                                            127.0.0.1

                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                            Analysis ID:1640575
                                                                                                                                                                                                                            Start date and time:2025-03-17 13:19:54 +01:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 7m 37s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Run name:Run with higher sleep bypass
                                                                                                                                                                                                                            Number of analysed new started processes analysed:24
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:imagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.evad.winEXE@35/51@0/6
                                                                                                                                                                                                                            EGA Information:Failed
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 87%
                                                                                                                                                                                                                            • Number of executed functions: 56
                                                                                                                                                                                                                            • Number of non-executed functions: 5
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 216.58.206.78, 142.250.186.67, 2.22.242.138, 2.22.242.114, 142.250.181.238, 142.251.168.84, 192.168.2.7, 142.250.186.78, 216.58.206.46, 142.250.185.206, 142.250.185.110, 199.232.210.172, 172.217.16.142, 142.250.184.238, 142.250.186.142, 23.60.203.209, 142.250.185.78, 142.250.185.174, 142.250.185.238, 23.199.214.10, 142.250.185.163, 34.104.35.123, 142.250.185.142, 142.250.185.99, 199.232.214.172, 142.250.186.35, 142.250.186.174, 172.202.163.200, 20.190.159.73, 2.23.227.215
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): www.bing.com, clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, redirector.gvt1.com, edgedl.me.gvt1.com, login.live.com, adobe.com, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net, c.pki.goog
                                                                                                                                                                                                                            • Execution Graph export aborted for target InstallUtil.exe, PID 7048 because it is empty
                                                                                                                                                                                                                            • Execution Graph export aborted for target imagine_Whatsapp_2025-03-12.img.exe, PID 6524 because it is empty
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                            No simulations

                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            1.1.1.1watchdog.elfGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                            • 1.1.1.1:8080/
                                                                                                                                                                                                                            6fW0GedR6j.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 1.1.1.1/ctrl/playback.php
                                                                                                                                                                                                                            PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                                                                                                                                            • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                                                                                                                                                                            AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 1.1.1.1/

                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            CLOUDFLARENETUSm0wsoI3.exeGet hashmaliciousMars Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                            • 188.114.97.3
                                                                                                                                                                                                                            New requirement Orders.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                                                            PURCHASE ORDER N0259305-06SN.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                            • 172.67.222.201
                                                                                                                                                                                                                            QUOTATION 03664710859027.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                                                            SHANXI Outward Remittance.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                                            Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.32.1
                                                                                                                                                                                                                            RFQ 306 & 307.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                            • 104.21.48.1
                                                                                                                                                                                                                            http://www.teubes.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            https://check.telavya8.icu/gkcxv.google?i=4876e1f6-ac44-408f-999b-2cd4a9b4a8df%20#%20''I%20am%20not%20a%20'robot'%20-%20%D0%B3e%D0%A1%D0%90%D0%A0%D0%A2%D0%A1%D0%9D%D0%90%20Verification%20ID:%202482''Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                                                            HOSTING90UPSTREAMconnectivityCZFcpnluBr4S.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            FcpnluBr4S.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            jklarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 171.33.140.91
                                                                                                                                                                                                                            Angebotsanfrage.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            Angebotsanfrage.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            22835271_5115055035.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            22835271_5115055035.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            #U00c1raj#U00e1nlat_k#U00e9r#U00e9s.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43
                                                                                                                                                                                                                            #U00c1raj#U00e1nlat_k#U00e9r#U00e9s.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            • 185.102.77.43

                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                            No context

                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\Google.Widevine.CDM.dllATT42345678_EBE15BD3-3790-4134-A07B-5CE56D3CA0592023-03-15T11-09-41.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              438XXX5089.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                Discord Nitro Gift Generator.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  https://digimobil-recrgar.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    .htmlGet hashmaliciousGabagoolBrowse
                                                                                                                                                                                                                                      https://centrepatronal.blob.core.windows.net/heberhard/centrepatronal.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                        cndx.com.emlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                                                                                                                                                                          Fd-Employee-Handbook(1).pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            ATT001_2674865722.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              https://drive.usercontent.google.com/u/0/uc?id=1oVYWzJi9Tw6x0zGRa8di76JxbjhDHWgd&export=downloadGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1310720
                                                                                                                                                                                                                                                Entropy (8bit):0.9129365478102996
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqJ:2JIB/wUKUKQncEmYRTwh0qofFUp3Pm
                                                                                                                                                                                                                                                MD5:65EF678F9052DD7C5EEA00515ECBD5CF
                                                                                                                                                                                                                                                SHA1:AFE6D446C770B74329467A405DAC55F3A026720F
                                                                                                                                                                                                                                                SHA-256:2851045519FDCE7CAD06DD63A8355E51333AB68A699E1D57144D94E0E2439C7C
                                                                                                                                                                                                                                                SHA-512:2373437185FA15EB6D55DE93C486FAA794B42E4B4A8D239C917ECA54D3652F9EE4AB180C8761F143E5436308B827EB5D8A3CB1FCE96781BAFCC4EC8FBDA8FDD0
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x70448ba3, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1310720
                                                                                                                                                                                                                                                Entropy (8bit):0.7899633171874246
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:1536:TSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5ZYkr3g16S42UPkLk+k2+UJ8xUJoU+dzV:TazaPvgurvj42UsSii
                                                                                                                                                                                                                                                MD5:0F3EF74F75D0E466C4DC788CD76F11BE
                                                                                                                                                                                                                                                SHA1:E0A60CF3ADE4B938F8D8776CCB2313D96B7D3E7C
                                                                                                                                                                                                                                                SHA-256:B4488B9CC57A743906CAC85F718370E98E3471FA58A0747B52BFFEAC5C49EE43
                                                                                                                                                                                                                                                SHA-512:16AAD12FF6AAB71940C8205222C4CE6F4CB8ED97A2503FA00900F2F202076A724B7509F4B46EE5EC34C834AA62BC871C81560745138138921B92FCEA4DA08EA2
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Preview:pD..... ...............X\...;...{......................0.`.....42...{5......}..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{....................................h@.....}..................L.~......}...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                                                                                                Entropy (8bit):0.08299886109384447
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:udlllEYeGp4nxzNtlllaCil6zb4mXlJJyavsYllEqW3l/TjzzQ/t:ud6zVPo8XXlHvhmd8/
                                                                                                                                                                                                                                                MD5:ECDDB3987A344716F4EE05094DB34F4D
                                                                                                                                                                                                                                                SHA1:88D938C649B2893031950A1EAB3B7BE559C25FC8
                                                                                                                                                                                                                                                SHA-256:E1E7EDE354769926484F576B9241272F67B782EFF6451FAE178D695BC7381DC2
                                                                                                                                                                                                                                                SHA-512:60031ACE0A5D4C5115E84F5C266FD9A3AEE8CCF69CF4246384B812D60B9EC6E86A392F5E6C55A25EEE2900090FA771019F459173F48C1721BC0CC45A20B34656
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Preview:y:]......................................;...{.......}..42...{5.........%....}..42...{5...h@.....}...................!S&%....}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1216
                                                                                                                                                                                                                                                Entropy (8bit):5.365181666909978
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:24:3S/tWSKco4KmZjKbmOIld6emN1s4RPQoU99tXt/NK3R8e9ia4:CVWSU4xym/jms4RIoU99tlNWR82m
                                                                                                                                                                                                                                                MD5:0C693BD2ABA2A39B19266349B9311C21
                                                                                                                                                                                                                                                SHA1:F8C0303EE2845DC8BC0510BCB6490EE7EAEB5426
                                                                                                                                                                                                                                                SHA-256:515B185BDE6F9A4E94849934CA269962275055C05B40345D68295FBEAC1EEB46
                                                                                                                                                                                                                                                SHA-512:FEE530269B0BB2A4225519F01920FF30C0CF6F6737191B6C98A6229346136C05A383E8BDE85F2A3F355986C49DF3BAE635A19D359547A369FFA69A16F5B4EEC5
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:@...e.................................I. .......................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cymrafbl.w0x.psm1

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyyuzk5n.ryn.ps1

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):55
                                                                                                                                                                                                                                                Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_1357856471\BITD712.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):6684
                                                                                                                                                                                                                                                Entropy (8bit):7.752204071173577
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:5Bbi8FdZP0mYIjZcwOSwy90B+hpi8kPVtww:De8DymvjQYrhpGH
                                                                                                                                                                                                                                                MD5:95778546493345DD2E3F1E48583B371D
                                                                                                                                                                                                                                                SHA1:BCA90D6DC7E7F8E231036E0C3D185C429B09A3C6
                                                                                                                                                                                                                                                SHA-256:5C635BBBB3BFC63910E29A0BE9FF5EE0990CCA2D3AAA56E4F4CD2C480C81B7DF
                                                                                                                                                                                                                                                SHA-512:8A267663728984CD44C73A32BA0D7DE0A8A626D05D7E45009E1A6031E49B29D6FB9CD9B8E07782B5AE5371F9C90D4E1FB10B8D7787B148663424D899121FDC86
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b..........J;...........l...j..y..?.....uk.)...<.g.....H.......$M?^....wN.ax..^....\#.<HC...@n..@..yu$.x=........y?.u.&V.M....f........:H....-B.ix..m.......>.5.g.W:.Ck..s.#J.."..)Y....4pH).ED.........}..MT....:.FT./.b....c...t..y....I..G9.Q}...$.a...[...Y......0.."0...*.H.............0..........7...*`D.k.w......!..E.g...=.v/...M..%/ND....X,...=N..5]0t..?.l.1).u.)kZ...ka....+LdL....r.}1....+..v.e.d8Y.R.D..e..<..P#*...R...j.$..H..|%E...?-'.Q}.^.....P........]d.<Z....s'...^.Y.ib..B.n.....lt...G.K...YHS..Oa2......=..(...G.z.c.b9Nd.....0D..R#..c.w......T..c....^.Y>J..u].....C"$a..5..b....S./W.m.d7.)...=.O..).,.k.=....Q&..n.{..W..]L......]]..>b.p..........vrZ....e.....b.

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_1357856471\niikhdgajlphfehepabhhblakbdgeefj_2025.03.12.00_all_adq7z562swe73sgkbx65gzsho2ha.crx3 (copy)

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):6684
                                                                                                                                                                                                                                                Entropy (8bit):7.752204071173577
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:5Bbi8FdZP0mYIjZcwOSwy90B+hpi8kPVtww:De8DymvjQYrhpGH
                                                                                                                                                                                                                                                MD5:95778546493345DD2E3F1E48583B371D
                                                                                                                                                                                                                                                SHA1:BCA90D6DC7E7F8E231036E0C3D185C429B09A3C6
                                                                                                                                                                                                                                                SHA-256:5C635BBBB3BFC63910E29A0BE9FF5EE0990CCA2D3AAA56E4F4CD2C480C81B7DF
                                                                                                                                                                                                                                                SHA-512:8A267663728984CD44C73A32BA0D7DE0A8A626D05D7E45009E1A6031E49B29D6FB9CD9B8E07782B5AE5371F9C90D4E1FB10B8D7787B148663424D899121FDC86
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b..........J;...........l...j..y..?.....uk.)...<.g.....H.......$M?^....wN.ax..^....\#.<HC...@n..@..yu$.x=........y?.u.&V.M....f........:H....-B.ix..m.......>.5.g.W:.Ck..s.#J.."..)Y....4pH).ED.........}..MT....:.FT./.b....c...t..y....I..G9.Q}...$.a...[...Y......0.."0...*.H.............0..........7...*`D.k.w......!..E.g...=.v/...M..%/ND....X,...=N..5]0t..?.l.1).u.)kZ...ka....+LdL....r.}1....+..v.e.d8Y.R.D..e..<..P#*...R...j.$..H..|%E...?-'.Q}.^.....P........]d.<Z....s'...^.Y.ib..B.n.....lt...G.K...YHS..Oa2......=..(...G.z.c.b9Nd.....0D..R#..c.w......T..c....^.Y>J..u].....C"$a..5..b....S./W.m.d7.)...=.O..).,.k.=....Q&..n.{..W..]L......]]..>b.p..........vrZ....e.....b.

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_1594922559\BIT7DC4.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):37717
                                                                                                                                                                                                                                                Entropy (8bit):7.973440746806729
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:768:WM8Oi1BjTqoAC43p8DzHGgu9OGE2EPdbQbaahQhKMM87JBDa45jAI6RYDo:78vBvn4Z8BqOlpbQbaauM81BhT6Wk
                                                                                                                                                                                                                                                MD5:94B12BA7E81BEF85691E1BCBAEDD4E80
                                                                                                                                                                                                                                                SHA1:4EF7B7D42670572349D493C6ABD74DDAAE217942
                                                                                                                                                                                                                                                SHA-256:6AF08FC2B0DD497E30E40290EFCB817B9B1F7DC7F734AB1A9DD000AE01F36050
                                                                                                                                                                                                                                                SHA-512:5161E8A2D81A619096A2C49BFB14C3CB09FAE509613DD6EC907F8C59E769F8241C5C246530CB8603EB46E00835417D17DF7A2F8CE3CFE963EC43C109E5514B08
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........r#]..}..:Is~/@6<.6....2..j...RSb........{..G.../4......m.../&..........H.R..&...:...r.p$..6B....`<.E,..Qw*...."s ....G..g...J.........".kOK.(...T....N......]+./..eU6.j.s&..c.c~...y.t.._..4E...`..g....?.(.r....H..r|..?.LC.&....9L8....)..i......0.."0...*.H.............0..........Dk.md)=..$.3..r......w.O........{._.-%....G....7R=.+..OA.....M~..(.t.(.R.J.."i..L_g..;.+^'..9.#../.T;-W..W_....OIC%..tRT...nB;(.i.w.W..*..^.=..<...K.}..)[$.E...U.t.......?YE.zW.2l..~.....R._...uRI...Qn..[..u.+........T(T/....(..r....qJ.6z..........;`...S'Z.X..w.P4.mW]9..[#.S2[Z...&...).c...L0..z..}!..3....U..:Fa.D..M.P.,d$4.....b.Bz.E.>...K).&....-.....vX........

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_1594922559\gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.55.0_all_ocm7dvbavb37zglvqhfr5kszse.crx3 (copy)

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):37717
                                                                                                                                                                                                                                                Entropy (8bit):7.973440746806729
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:768:WM8Oi1BjTqoAC43p8DzHGgu9OGE2EPdbQbaahQhKMM87JBDa45jAI6RYDo:78vBvn4Z8BqOlpbQbaauM81BhT6Wk
                                                                                                                                                                                                                                                MD5:94B12BA7E81BEF85691E1BCBAEDD4E80
                                                                                                                                                                                                                                                SHA1:4EF7B7D42670572349D493C6ABD74DDAAE217942
                                                                                                                                                                                                                                                SHA-256:6AF08FC2B0DD497E30E40290EFCB817B9B1F7DC7F734AB1A9DD000AE01F36050
                                                                                                                                                                                                                                                SHA-512:5161E8A2D81A619096A2C49BFB14C3CB09FAE509613DD6EC907F8C59E769F8241C5C246530CB8603EB46E00835417D17DF7A2F8CE3CFE963EC43C109E5514B08
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........r#]..}..:Is~/@6<.6....2..j...RSb........{..G.../4......m.../&..........H.R..&...:...r.p$..6B....`<.E,..Qw*...."s ....G..g...J.........".kOK.(...T....N......]+./..eU6.j.s&..c.c~...y.t.._..4E...`..g....?.(.r....H..r|..?.LC.&....9L8....)..i......0.."0...*.H.............0..........Dk.md)=..$.3..r......w.O........{._.-%....G....7R=.+..OA.....M~..(.t.(.R.J.."i..L_g..;.+^'..9.#../.T;-W..W_....OIC%..tRT...nB;(.i.w.W..*..^.=..<...K.}..)[$.E...U.t.......?YE.zW.2l..~.....R._...uRI...Qn..[..u.+........T(T/....(..r....qJ.6z..........;`...S'Z.X..w.P4.mW]9..[#.S2[Z...&...).c...L0..z..}!..3....U..:Fa.D..M.P.,d$4.....b.Bz.E.>...K).&....-.....vX........

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_1813373480\BIT55B7.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):7133
                                                                                                                                                                                                                                                Entropy (8bit):7.769797314691165
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:HUyZorqdq5XOLn/ySfF6ay1OAw3VZ9cp5p1m1K1gAt0s:0yZzdqILn/ySAIA+zavm1K/P
                                                                                                                                                                                                                                                MD5:9EF90DD2E7CFA8F6E38260781D2E63F2
                                                                                                                                                                                                                                                SHA1:C5AF04A277E9A07ED21490FA55325FE4D3AA321A
                                                                                                                                                                                                                                                SHA-256:6F9945BB965CE4AEF3427164FC19FAF47A46B069DD2C9F1F931858445E1652A0
                                                                                                                                                                                                                                                SHA-512:37D31114752ECD2235828E3C382D3E116B51B889BCF43CB6A4FCC70F2567FAB155F5CC0D5AB635E9591E8702595D92B75A6D87EFB73C2A1E9D4EA0ED5CFF5A73
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b...........<........7nh1.^.q.k8?.!.......z...(....V....5/9.G.W.~........=*.D%..mHG.~.0.....k3.*..j.3..5Oy....%.#.|...M.....I 1U.......VW!\........X.GC^.1......r.:r..^.A..A....[\.en...)..cg...o.J.k.?...\.....q...'m..|.w........n2.......P.M.b.q.V ...l......U......0.."0...*.H.............0.........2...p.....n.....a1...Y.sq..lc.V...>.@*...U..{n'B. ...-`..+g...v.p.n...c|w..C......t!.C.G...q.!....~~..[.KR..)H.pJ...^....".$.0V...\.V.n.^.......r........{><.T...tM...`;..F....X.B!.N?+.mAH4.DF.c..A.....M#b.e...|#....Vn1..A.. .......N.i.)...0c;\..q.p.N....E..b....@....%...@..1.....U.&Q..#.J.v5.$?5<..@.(....>p..t..fV.e...i.X...ehmwB.....@..x.P..J.[..I..4.....*...V.-

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_1813373480\pkomkdjpmjfbkgjjmmaioegaojgdahkm_6.7431.9692_all_pe6fiam6lr47z5remcp5lvp6tq.crx3 (copy)

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):7133
                                                                                                                                                                                                                                                Entropy (8bit):7.769797314691165
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:HUyZorqdq5XOLn/ySfF6ay1OAw3VZ9cp5p1m1K1gAt0s:0yZzdqILn/ySAIA+zavm1K/P
                                                                                                                                                                                                                                                MD5:9EF90DD2E7CFA8F6E38260781D2E63F2
                                                                                                                                                                                                                                                SHA1:C5AF04A277E9A07ED21490FA55325FE4D3AA321A
                                                                                                                                                                                                                                                SHA-256:6F9945BB965CE4AEF3427164FC19FAF47A46B069DD2C9F1F931858445E1652A0
                                                                                                                                                                                                                                                SHA-512:37D31114752ECD2235828E3C382D3E116B51B889BCF43CB6A4FCC70F2567FAB155F5CC0D5AB635E9591E8702595D92B75A6D87EFB73C2A1E9D4EA0ED5CFF5A73
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b...........<........7nh1.^.q.k8?.!.......z...(....V....5/9.G.W.~........=*.D%..mHG.~.0.....k3.*..j.3..5Oy....%.#.|...M.....I 1U.......VW!\........X.GC^.1......r.:r..^.A..A....[\.en...)..cg...o.J.k.?...\.....q...'m..|.w........n2.......P.M.b.q.V ...l......U......0.."0...*.H.............0.........2...p.....n.....a1...Y.sq..lc.V...>.@*...U..{n'B. ...-`..+g...v.p.n...c|w..C......t!.C.G...q.!....~~..[.KR..)H.pJ...^....".$.0V...\.V.n.^.......r........{><.T...tM...`;..F....X.B!.N?+.mAH4.DF.c..A.....M#b.e...|#....Vn1..A.. .......N.i.)...0c;\..q.p.N....E..b....@....%...@..1.....U.&Q..#.J.v5.$?5<..@.(....>p..t..fV.e...i.X...ehmwB.....@..x.P..J.[..I..4.....*...V.-

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_511712809\BITD124.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):5354113
                                                                                                                                                                                                                                                Entropy (8bit):7.997205266818849
                                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                                SSDEEP:98304:2BKKcrL8jXF06WgjX1qPIyNKR3qB7vhu2WMrPfCu1Hexnh4Xgdv8Pk3+hf:6KPrLIXFbLSIm9B74PufCxhdaPkIf
                                                                                                                                                                                                                                                MD5:D491945BE7D0B47B5FC932121B381EDD
                                                                                                                                                                                                                                                SHA1:8E9FC45EAEFC7E71794CFF7865F0D2D09A50CB75
                                                                                                                                                                                                                                                SHA-256:2FD589C9CF873C7543A9E319731902BF659ED005C24296685683B0DB536519BB
                                                                                                                                                                                                                                                SHA-512:EDC23FFE6E224D11AA64617DC5B45A5C7D5C050A59A638160D45D5532F7774381505F770CDC730AEE634403C683F16533A281775594F4ADB8285DF35F5059560
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........XDR..+(q...|}.Q..0.F.y.Q..U.&bXRIZ.h...d.../V.4.O.e..!..p#..T[..L$.Hr. ..:..>K.....` .^.....bq./..Tz.S.u.s.....2.........)R2^8.Ln..').C.q...w...5`[.q.2B%...:.d.9k.........e.T..s...gS/..........Tl..&...........Z.,..U=..tNr6`....C~M{.3..P...*.C. . .........0.."0...*.H.............0............y..D%b7...a.P....~./~.d.2..K....7K....8...g@....Ux...x..,.G.U...H`..6.(.h....2..t8..#Uf.].i....|D.I%..y.Z....e.c..UFe$p....,...s.!\$r.....r...i........#6I7u".Ev.../.z.............l...C.....vX.L..4u`..M.&.7o_..Y..;x_#'2........-1......^....`{.~.TLrD.,._ .7:\..n..&...G.E$ .A1.w.........r....E...>...i(... ..eRH..%O..)d.^w.2..,....g".^/=X.2.....&....S....><^..l^....c..D.g

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_511712809\obedbbhbpmojnkanicioggnmelmoomoc_20250306.735925935.14_all_ENUS500000_eyzz2v36osunmyvefm67rcwha4.crx3 (copy)

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):5354113
                                                                                                                                                                                                                                                Entropy (8bit):7.997205266818849
                                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                                SSDEEP:98304:2BKKcrL8jXF06WgjX1qPIyNKR3qB7vhu2WMrPfCu1Hexnh4Xgdv8Pk3+hf:6KPrLIXFbLSIm9B74PufCxhdaPkIf
                                                                                                                                                                                                                                                MD5:D491945BE7D0B47B5FC932121B381EDD
                                                                                                                                                                                                                                                SHA1:8E9FC45EAEFC7E71794CFF7865F0D2D09A50CB75
                                                                                                                                                                                                                                                SHA-256:2FD589C9CF873C7543A9E319731902BF659ED005C24296685683B0DB536519BB
                                                                                                                                                                                                                                                SHA-512:EDC23FFE6E224D11AA64617DC5B45A5C7D5C050A59A638160D45D5532F7774381505F770CDC730AEE634403C683F16533A281775594F4ADB8285DF35F5059560
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........XDR..+(q...|}.Q..0.F.y.Q..U.&bXRIZ.h...d.../V.4.O.e..!..p#..T[..L$.Hr. ..:..>K.....` .^.....bq./..Tz.S.u.s.....2.........)R2^8.Ln..').C.q...w...5`[.q.2B%...:.d.9k.........e.T..s...gS/..........Tl..&...........Z.,..U=..tNr6`....C~M{.3..P...*.C. . .........0.."0...*.H.............0............y..D%b7...a.P....~./~.d.2..K....7K....8...g@....Ux...x..,.G.U...H`..6.(.h....2..t8..#Uf.].i....|D.I%..y.Z....e.c..UFe$p....,...s.!\$r.....r...i........#6I7u".Ev.../.z.............l...C.....vX.L..4u`..M.&.7o_..Y..;x_#'2........-1......^....`{.~.TLrD.,._ .7:\..n..&...G.E$ .A1.w.........r....E...>...i(... ..eRH..%O..)d.^w.2..,....g".^/=X.2.....&....S....><^..l^....c..D.g

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_619484869\BIT68F2.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):8902
                                                                                                                                                                                                                                                Entropy (8bit):7.794558989064692
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:C2ermcQd1bcZjUX2YhGiQ9GdNiGvt2GzCUdntoK:LIJQdyAGY4iQ9QlJmWh
                                                                                                                                                                                                                                                MD5:86BF4A4133E86CC9987535E392875B0C
                                                                                                                                                                                                                                                SHA1:1821110225CFBB207379A13DA361F1A24E5C6E56
                                                                                                                                                                                                                                                SHA-256:1987650928271AD440C2B8A50F309139DE82C742FB6F1F3EA055B35718AC46E7
                                                                                                                                                                                                                                                SHA-512:6568B6AFAA765BACF4B1B632AF326A7119ADA5F85FA179D406829ACA23A78929B5B8C216AFDE9D50AC71D96B952F676A8BC145C086D7AFDA04111CD6EDB1B70E
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........D.Q.......^..0.a..j..G..t.J..)j...;T.W...wv.5..]..IE.N0-.......kX.8.d..K...Z..8pqci.......J...................VZ.......g....aP..aze..-.cAs9.Ml.?:.,.A.`p. .~.^G..l./#.2..A..-..F..r...M....oRL..K.`..e~.peX}C.{..s......U7..^.>pq.n.f..U........0.."0...*.H.............0.........C...|.{..W...pJh...P%:Y.7..g.9...c\r..@.....$.y..uS.......F...^...^..Jn.l.....>.<...h...!-2....4qD....Y..2.....>....:.`.a..FNi...H0...g..>1.|.n..i.'d.[:E.|..e..#.E:.a:..k...v....<.K[.xFy.@A.@..J&...4+.`d..4..Z..}.w...~}.w...Kj....;`KJU...,..2....'46..~t.Bq<...-....E,.....n.X.XZ...a..\.....9j.l.4,-*....R>z...k.!'[.....h....iRR.G4....|z.S4.}.XV...............}|!\

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_619484869\kiabhabjdbkjdpjbpigfodbdjmbglcoo_2025.01.17.01_all_dd5w5blqtgwb4xkyhfpmehllye.crx3 (copy)

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):8902
                                                                                                                                                                                                                                                Entropy (8bit):7.794558989064692
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:C2ermcQd1bcZjUX2YhGiQ9GdNiGvt2GzCUdntoK:LIJQdyAGY4iQ9QlJmWh
                                                                                                                                                                                                                                                MD5:86BF4A4133E86CC9987535E392875B0C
                                                                                                                                                                                                                                                SHA1:1821110225CFBB207379A13DA361F1A24E5C6E56
                                                                                                                                                                                                                                                SHA-256:1987650928271AD440C2B8A50F309139DE82C742FB6F1F3EA055B35718AC46E7
                                                                                                                                                                                                                                                SHA-512:6568B6AFAA765BACF4B1B632AF326A7119ADA5F85FA179D406829ACA23A78929B5B8C216AFDE9D50AC71D96B952F676A8BC145C086D7AFDA04111CD6EDB1B70E
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........D.Q.......^..0.a..j..G..t.J..)j...;T.W...wv.5..]..IE.N0-.......kX.8.d..K...Z..8pqci.......J...................VZ.......g....aP..aze..-.cAs9.Ml.?:.,.A.`p. .~.^G..l./#.2..A..-..F..r...M....oRL..K.`..e~.peX}C.{..s......U7..^.>pq.n.f..U........0.."0...*.H.............0.........C...|.{..W...pJh...P%:Y.7..g.9...c\r..@.....$.y..uS.......F...^...^..Jn.l.....>.<...h...!-2....4qD....Y..2.....>....:.`.a..FNi...H0...g..>1.|.n..i.'d.[:E.|..e..#.E:.a:..k...v....<.K[.xFy.@A.@..J&...4+.`d..4..Z..}.w...~}.w...Kj....;`KJU...,..2....'46..~t.Bq<...-....E,.....n.X.XZ...a..\.....9j.l.4,-*....R>z...k.!'[.....h....iRR.G4....|z.S4.}.XV...............}|!\

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_622450413\BIT1A27.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1181927
                                                                                                                                                                                                                                                Entropy (8bit):7.997580237306415
                                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                                SSDEEP:24576:rq9Lbk1ZSPg10//xALQtigTPnWqHAD/Dzj4ZmM4/wIwIs10XYyyJeSq3IfI+GN1s:6LQPcC0//yLlgTPWqgzDH4ZmZs6XYy8r
                                                                                                                                                                                                                                                MD5:F265D47475FFD3884329D92DEEFAE504
                                                                                                                                                                                                                                                SHA1:98C74386481F171B09CB9490281688392EEFBFDD
                                                                                                                                                                                                                                                SHA-256:C900BA9A2D8318263FD43782EE6FD5FB50BAD78BF0EB2C972B5922C458AF45ED
                                                                                                                                                                                                                                                SHA-512:4FD27594C459FB1CD94A857BE10F7D1D6216DBF202CD43E8A3FA395A268C72FC5F5C456C9CB314F2220D766AF741DB469C8BB106ACBED419149A44A3B87619F1
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........R....H.4.>..gg.n6:...d1.<X.R&..V...5.d..o\%r'y..W....}.Gk!..r.7.*.k.@n..^....[.&......^..>.Su...^"aZ.......>m~.....u+..O.....3$s...ABo..)........4..W.3vp^.'..OF.**........f.u.(o..).f..Yu\\..`.z.c...B.Bb.v..w.........c4r../..d|...&@Wk...W..@......0.."0...*.H.............0..........,.v@....]...<.....n..m.RI..~o.....K..+B/$.).EP....H/..}......$.]....m.Y....P.......&/.Q...@7..`.$M..(-!m...*.H....k.P......E%.(.DvnlS....d....$.|....K.......5.....k?........XG..0.... .m...c3O.......xm.x,.D.duG..F+.. Q!.NJT..&..y..LHng.'.[..._i.Pt.........w...:...q.../J..R1....N..]..b._...]y4..f......@.x..\B..h..8b0...{pi..(.....N=@..V...S..o|d;....j.Kx.A..+.

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_622450413\neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3 (copy)

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1181927
                                                                                                                                                                                                                                                Entropy (8bit):7.997580237306415
                                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                                SSDEEP:24576:rq9Lbk1ZSPg10//xALQtigTPnWqHAD/Dzj4ZmM4/wIwIs10XYyyJeSq3IfI+GN1s:6LQPcC0//yLlgTPWqgzDH4ZmZs6XYy8r
                                                                                                                                                                                                                                                MD5:F265D47475FFD3884329D92DEEFAE504
                                                                                                                                                                                                                                                SHA1:98C74386481F171B09CB9490281688392EEFBFDD
                                                                                                                                                                                                                                                SHA-256:C900BA9A2D8318263FD43782EE6FD5FB50BAD78BF0EB2C972B5922C458AF45ED
                                                                                                                                                                                                                                                SHA-512:4FD27594C459FB1CD94A857BE10F7D1D6216DBF202CD43E8A3FA395A268C72FC5F5C456C9CB314F2220D766AF741DB469C8BB106ACBED419149A44A3B87619F1
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........R....H.4.>..gg.n6:...d1.<X.R&..V...5.d..o\%r'y..W....}.Gk!..r.7.*.k.@n..^....[.&......^..>.Su...^"aZ.......>m~.....u+..O.....3$s...ABo..)........4..W.3vp^.'..OF.**........f.u.(o..).f..Yu\\..`.z.c...B.Bb.v..w.........c4r../..d|...&@Wk...W..@......0.."0...*.H.............0..........,.v@....]...<.....n..m.RI..~o.....K..+B/$.).EP....H/..}......$.]....m.Y....P.......&/.Q...@7..`.$M..(-!m...*.H....k.P......E%.(.DvnlS....d....$.|....K.......5.....k?........XG..0.... .m...c3O.......xm.x,.D.duG..F+.. Q!.NJT..&..y..LHng.'.[..._i.Pt.........w...:...q.../J..R1....N..]..b._...]y4..f......@.x..\B..h..8b0...{pi..(.....N=@..V...S..o|d;....j.Kx.A..+.

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_680296652\BIT8C88.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):6024
                                                                                                                                                                                                                                                Entropy (8bit):7.720162644638861
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:96:B9xv9wUeWc802fl6ThfK/cVnKSd0pjRVfOD7G8mN/fFGE/y77OHo3ZyL47LtQLu4:BfmUvc8jlUhHoSMAytGcy/OIJyLsLtQJ
                                                                                                                                                                                                                                                MD5:93E97A6AE8C0CC4ACAA5F960C7918511
                                                                                                                                                                                                                                                SHA1:5D61C08DDE1DB8A4B27E113344EDC17B2F89C415
                                                                                                                                                                                                                                                SHA-256:44C97A8527EF50CAB95A16C5E78CD321CBDF315726823AFE7E0482AF9EB18319
                                                                                                                                                                                                                                                SHA-512:E61727A277D971467E850456FBC259DAD77A331873E53E3E905605CD19B01C2DC46DF7400CE8442E39CFAC5AC3FBCD833EC7310C7AB1C3380D900DD676ED1679
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........-.....>...?.0........'..3o...%........YD....NT..5VD.......&.8......f.l.7...1.;.....A^..s.z.o......%...h..:.G.u..f?]y..*LF......D.<.:~~.O.]o.._W%.es{...:c.3.V...).p.[".L.#.h..Hh..,..k.u......{.......K.d...3.L..T..c'..Y..p.qKO6_[..]1..G...........0.."0...*.H.............0..........&..K...d....\...5...[8j.I+.. C....vH.8z6..rA/>8.0%$.J34$B....Kfc<V..Z.M.Q..(.7...3u..3.....z.1.'./........5..zfL..:.x.t.a.....n.Z...H...@.IH..LZ...=.yh..&Xs..9V....>(o^...0-.'oc.......o...<DEu.........z...+.;}..l.......i..R.7.6rs....).=.n.T..[.........Png1.K}4......Mb....R.....;.....F.h.....p..i..R.x..V....4+`...4..l.1x'a...hw.T..'...B...-.N*....7......F.x?O..A.5..xV

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_BITS_424_680296652\khaoiebndkojlmppeemjhbpbandiljpe_67_win_kfegpqlp6gezs4ree2ol2br2ym.crx3 (copy)

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                File Type:Google Chrome extension, version 3
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):6024
                                                                                                                                                                                                                                                Entropy (8bit):7.720162644638861
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:96:B9xv9wUeWc802fl6ThfK/cVnKSd0pjRVfOD7G8mN/fFGE/y77OHo3ZyL47LtQLu4:BfmUvc8jlUhHoSMAytGcy/OIJyLsLtQJ
                                                                                                                                                                                                                                                MD5:93E97A6AE8C0CC4ACAA5F960C7918511
                                                                                                                                                                                                                                                SHA1:5D61C08DDE1DB8A4B27E113344EDC17B2F89C415
                                                                                                                                                                                                                                                SHA-256:44C97A8527EF50CAB95A16C5E78CD321CBDF315726823AFE7E0482AF9EB18319
                                                                                                                                                                                                                                                SHA-512:E61727A277D971467E850456FBC259DAD77A331873E53E3E905605CD19B01C2DC46DF7400CE8442E39CFAC5AC3FBCD833EC7310C7AB1C3380D900DD676ED1679
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:Cr24..............0.."0...*.H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.|1..n.<Fb..f..*Q1.....s..2..{*.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-*eu...b.........-.....>...?.0........'..3o...%........YD....NT..5VD.......&.8......f.l.7...1.;.....A^..s.z.o......%...h..:.G.u..f?]y..*LF......D.<.:~~.O.]o.._W%.es{...:c.3.V...).p.[".L.#.h..Hh..,..k.u......{.......K.d...3.L..T..c'..Y..p.qKO6_[..]1..G...........0.."0...*.H.............0..........&..K...d....\...5...[8j.I+.. C....vH.8z6..rA/>8.0%$.J34$B....Kfc<V..Z.M.Q..(.7...3u..3.....z.1.'./........5..zfL..:.x.t.a.....n.Z...H...@.IH..LZ...=.yh..&Xs..9V....>(o^...0-.'oc.......o...<DEu.........z...+.;}..l.......i..R.7.6rs....).=.n.T..[.........Png1.K}4......Mb....R.....;.....F.h.....p..i..R.x..V....4+`...4..l.1x'a...hw.T..'...B...-.N*....7......F.x?O..A.5..xV

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\LICENSE

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1558
                                                                                                                                                                                                                                                Entropy (8bit):5.11458514637545
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
                                                                                                                                                                                                                                                MD5:EE002CB9E51BB8DFA89640A406A1090A
                                                                                                                                                                                                                                                SHA1:49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
                                                                                                                                                                                                                                                SHA-256:3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
                                                                                                                                                                                                                                                SHA-512:D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1864
                                                                                                                                                                                                                                                Entropy (8bit):6.00682540004288
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:p/hUjSoCWAdte7akapu8IA1MSrhykmwDkV:RfpWQte7aSunyRb
                                                                                                                                                                                                                                                MD5:28706AD42E4C615A683C2494BC0BD2AF
                                                                                                                                                                                                                                                SHA1:6B0465B3D5E85A3EA76C646BA8652C4DC0248DC0
                                                                                                                                                                                                                                                SHA-256:709BBB3E3A17E2B7BBF9F4AFDCF465312695342CE4EB203DF284233EACEE086F
                                                                                                                                                                                                                                                SHA-512:E95DA92F1AD5F56EF61A5992A1B465D46F36EFF1FC85643CC5AB3F357B6F14D81A5B5590D0E18D4DA5FCC3AC537A469FD0C15B116A3471536707A9716119FA5F
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoiUGIwc2tBVUxaUzFqWldTQnctV0hIRkltRlhVcExiZDlUcVkwR2ZHSHBWcyJ9LHsicGF0aCI6ImtleXMuanNvbiIsInJvb3RfaGFzaCI6IlJ1R2ZTVTVlZVdiRHczOVpOMmQ5NHhIRkJuY2JNMWxtZXgybk5ZVmhMU00ifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiVXdpQzFfVTFybGVra0d5bk5iRVp5ZU5rZ011M2dNZm9yVGZKeVAzejJiRSJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6ImtpYWJoYWJqZGJramRwamJwaWdmb2RiZGptYmdsY29vIiwiaXRlbV92ZXJzaW9uIjoiMjAyNS4xLjE3LjEiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"DjJ0cJJFQPGNShH6cqF0KMXYB9LDN7hZ0z-M2b0RfT3cl9Mxp62MiQM0bqevSkL0tNe9rHL_VWqPqY7PDdCoumMJ-TVwboLlLJq3c1H9NYQgQ-nQS4F3mFBvP0YJ-Kunf6byMQnF4FLGqtuRouNWZBUqyahkm__1_0-5qoAVqSms3wmBnmVhb1z4p-I6jEjko0pLBq4dad2vH7G6THiOPP15L1ozQ42gvfw5aLvn_Itjpwq7GaU9lNv

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\keys.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):6690
                                                                                                                                                                                                                                                Entropy (8bit):5.981211959058716
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:96:UXq6pG2GE+Vy2+m0plhYvPuW+wkpTm+ozdswsDm4+uTagSfC3AQj+y:uNtGbVKm4lOvMwkoR9PuGs3gy
                                                                                                                                                                                                                                                MD5:BEF4F9F856321C6DCCB47A61F605E823
                                                                                                                                                                                                                                                SHA1:8E60AF5B17ED70DB0505D7E1647A8BC9F7612939
                                                                                                                                                                                                                                                SHA-256:FD1847DF25032C4EEF34E045BA0333F9BD3CB38C14344F1C01B48F61F0CFD5C5
                                                                                                                                                                                                                                                SHA-512:BDEC3E243A6F39BFEA4130C85B162EA00A4974C6057CD06A05348AC54517201BBF595FCC7C22A4AB2C16212C6009F58DF7445C40C82722AB4FA1C8D49D39755C
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{"https://issuer.captchafox.com":{"PrivateStateTokenV1VOPRF":{"batchsize":1,"id":1,"keys":{"0":{"Y":"AAAAAQQiyE+SESbq7GU5rTx6tZO4tBOxljp+Oya2mU28O+YoALIyXlLLqnl/h5h95ExYSsOlmMIb8EdsJBTrCaDl/KIZSskrfMbZpjhShG0jwnbXojEHI9WaAxKLkX/A/DkyMEg=","expiry":"1734807628115000"},"1":{"Y":"AAAAAQRNtld+5LLBquS4bEJKJwlLw61tzIyqTNkvMVnUTu+YiphbdGrRCjeDTN9D3p1Tgpfmq0N/OKMBYWzDMEN8Km9p9s49c6N2ph4B1MV1m7Ogdj969MOsTw54Kc849oqDl8s=","expiry":"1734807628115000"},"2":{"Y":"AAAAAQSBWW003A3ORFURCZrWNnbEIH15yzk184DaLSebbGzRdyCYtAM1qhhVmXZyBtWTzh6Bfkk5rLPyE1xdQilofPBizF/QJsdaMU0GYhPW1sOU4xoKbmgd/XrnOoFqA2ETOuc=","expiry":"1734807628115000"},"3":{"Y":"AAAAAQSG/ftGdm5B6iwAmVsHt6s43xx3nRf/Vpx9GdeEt3jSTM8hHvyLE9FAEkinGjt4Fp5EjnkCdE96Cxz10nZJRrMApIrGhG5kAoDu4T8PjJPiFQFyHAOdTG7OJWi2NS/rl1A=","expiry":"1734807628115000"},"4":{"Y":"AAAAAQT36tqe550UP5A+4Eokt8iuPZEuWQc9cGJXd7zUCZzrsqtGu3PMcVbOj5DjC4W+yoyF3HqKOqdtiBWgcMsZOcyln/6jUKqf5tS9AoIHa9CC3kQB8ISQd3lhR5j+qWVY8ms=","expiry":"1734807628115000"},"5":{"Y":"AAAAAQQMjaLNCR

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\manifest.fingerprint

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                Entropy (8bit):4.005340674128682
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:SUsO4D2HGQ42IAVFxx9WQnRJn:SUsO4qmQHVDx0QDn
                                                                                                                                                                                                                                                MD5:030D9E3F4502E24594ABCA380C073974
                                                                                                                                                                                                                                                SHA1:AE068D4F8C668477DD8F4BC2892F09D0802130E0
                                                                                                                                                                                                                                                SHA-256:FD86A9E808BCC78B926C111633615D9A807D60A20CE2BAC7360915336ABB738F
                                                                                                                                                                                                                                                SHA-512:F28A0311A80FE81965874AE5A46161A7658E149AA48E26B81C500339461B84F2EB53193AEF4E4C78AADB7191AC4518E81BBFB1672CE6077200CC6DF5FAC4054B
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1.1987650928271ad440c2b8a50f309139de82c742fb6f1f3ea055b35718ac46e7

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1005910677\manifest.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):79
                                                                                                                                                                                                                                                Entropy (8bit):4.442932812379182
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:rR6TAulhFphifFIPgS1oSLsY:F6VlMyPgS1oxY
                                                                                                                                                                                                                                                MD5:7F4B594A35D631AF0E37FEA02DF71E72
                                                                                                                                                                                                                                                SHA1:F7BC71621EA0C176CA1AB0A3C9FE52DBCA116F57
                                                                                                                                                                                                                                                SHA-256:530882D7F535AE57A4906CA735B119C9E36480CBB780C7E8AD37C9C8FDF3D9B1
                                                                                                                                                                                                                                                SHA-512:BF3F92F5023F0FBAD88526D919252A98DB6D167E9CA3E15B94F7D71DED38A2CFB0409F57EF24708284DDD965BDA2D3207CD99C008B1C9C8C93705FD66AC86360
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{. "manifest_version": 2,. "name": "trustToken",. "version": "2025.1.17.1".}

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\Filtering Rules

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):77095
                                                                                                                                                                                                                                                Entropy (8bit):5.538618070900601
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:1536:y1RlxQ6jQG4eeBp91moaWQQgw6I7xQvQUjci7UglVMSe/14SorG:YFBjt4xBpeoaVQgw6ItEQUjci7TVMJ46
                                                                                                                                                                                                                                                MD5:5F2E8BC6FD4937FBB0939C6773064F3E
                                                                                                                                                                                                                                                SHA1:524FAECE2A5491EF2739C2424F962C9ADF74E891
                                                                                                                                                                                                                                                SHA-256:4723C6E42380C6A90A601C9BF6E4DD72136958516DE05623DC8D342B6E05F00C
                                                                                                                                                                                                                                                SHA-512:D5B3CF6AB579B71F68BB02739B70DE1D403CE59C45442015E09B502E723E9D9FFCCED8429C228F467995CD01A13CAE9D2172994FF0D8677DFE501898922E00B7
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:............0.8.@.R.-728x90...........0.8.@.R.adtdp.com^..........0.8.@.R.just-news.pro^..........0.8.@.R.6dc2699b37.com^..........0.8.@.R.yomeno.xyz^..........0.8.@.R.yellowblue.io^..........0.8.@.R.abh.jp^..........0.8.@.R.ad999.biz^..........0.8.@.R._468_60...........0.8.@.R.adrecover.com^..........0.8.@.R.pemsrv.com^..........0.8.@.R.mnaspm.com^.$........0.8.@.R.tags.refinery89.com^.,........0.8.@.R.mysmth.net/nForum/*/ADAgent_.>........*...worldstar.com0.8.@.R.js.assemblyexchange.com/wana..(........0.8.@.R.ogads-pa.googleapis.com^..........0.8.@.R.indoleads.com^.%......0.8.@.R.discordapp.com/banners/.(........0.8.@.R.looker.com/api/internal/.#........0.8.@.R.broadstreetads.com^.(........0.8.@.R.shikoku-np.co.jp/img/ad/..........0.8.@.R./in/track?data=.!......0.8.@.R.linkbucks.com/tmpl/..........0.8.@.R.clicktripz.com^..........0.8.@.R.-ad-manager/........0.8.@.R.files.slack.com^.$........0.8.@.R.admitad-connect.com^..........0.8.@.R./300-250-.2........0.8.@.R"cloudfront.net/js/com

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\LICENSE.txt

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):24623
                                                                                                                                                                                                                                                Entropy (8bit):4.588307081140814
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:384:mva5sf5dXrCN7tnBxpxkepTqzazijFgZk231Py9zD6WApYbm0:mvagXreRnTqzazWgj0v6XqD
                                                                                                                                                                                                                                                MD5:D33AAA5246E1CE0A94FA15BA0C407AE2
                                                                                                                                                                                                                                                SHA1:11D197ACB61361657D638154A9416DC3249EC9FB
                                                                                                                                                                                                                                                SHA-256:1D4FF95CE9C6E21FE4A4FF3B41E7A0DF88638DD449D909A7B46974D3DFAB7311
                                                                                                                                                                                                                                                SHA-512:98B1B12FF0991FD7A5612141F83F69B86BC5A89DD62FC472EE5971817B7BBB612A034C746C2D81AE58FDF6873129256A89AA8BB7456022246DC4515BAAE2454B
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:EasyList Repository Licences.... Unless otherwise noted, the contents of the EasyList repository.. (https://github.com/easylist) is dual licensed under the GNU General.. Public License version 3 of the License, or (at your option) any later.. version, and Creative Commons Attribution-ShareAlike 3.0 Unported, or.. (at your option) any later version. You may use and/or modify the files.. as permitted by either licence; if required, "The EasyList authors.. (https://easylist.to/)" should be attributed as the source of the.. material. All relevant licence files are included in the repository..... Please be aware that files hosted externally and referenced in the.. repository, including but not limited to subscriptions other than.. EasyList, EasyPrivacy, EasyList Germany and EasyList Italy, may be.. available under other conditions; permission must be granted by the.. respective copyright holders to authorise the use of their material.......Creative Commons Attribut

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1529
                                                                                                                                                                                                                                                Entropy (8bit):5.976028518573561
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:24:pZRj/flTHYFluT1XkYbKgH8jeT3g8zkaoXdKydEHKcL/cAyXoXmKiqJzc64VnICx:p/h4iJfbKgHzT1kakd9d+/LyXkmKL4dJ
                                                                                                                                                                                                                                                MD5:B34777C83FE725443F6706F838BFCC71
                                                                                                                                                                                                                                                SHA1:FB5FAB94D7E51A04BFECD8CA892A0268A491B68B
                                                                                                                                                                                                                                                SHA-256:93FCA3B0D84D2A8B73AEB4F9750EC4075D564677CA62FA9BBD976D5D5619E90C
                                                                                                                                                                                                                                                SHA-512:377A4EC4982378ABCDCFD91B257A3EF9FEA2DD9F6757A22DD5F829801FA5553B788155435F5F065FEB70B1E7D3F60812458D631C7C5B77D4E4E629DC3CB1D422
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJGaWx0ZXJpbmcgUnVsZXMiLCJyb290X2hhc2giOiJ6U0s3aDNrdHZHdk0tN0FNeExfLXpmbm9wUldrTkoxU2E0RW1QTVdpa3dnIn0seyJwYXRoIjoiTElDRU5TRS50eHQiLCJyb290X2hhc2giOiIyaWswNmk0TFlCdVNHNWphRGFIS253NE9pdnVSRzZsQ0JKMVk0TGtzRFJJIn0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6Ik0zUVZyMko2WEZJTjZIaERNdzFiU2RnRUhrdk5NVlMxdnNIU29mWHJtWDQifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJnY21qa21nZGxnbmtrY29jbW9laW1pbmFpam1tam5paSIsIml0ZW1fdmVyc2lvbiI6IjkuNTUuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"eVOox95LHt_huD1ZXNk2zxPSK5LxokRu6x0S_ww8Ogb8eOdWxUS-5DWuW4M3rfp6I9tSsLFbZQBy5kvVbkG2XTL2RHMfdF39BNFpjebNLkcQj85ki-IZdn4iYzb7yR8D2jsu2I5aXLZKuwemUaYqw_WiH8DPDTddIWBsR26QcPWGLg1H97vUpe7XsZSs2evmcojkfDe0pzKgmnnsngqJjoPdYbz7iCvc4cTtvuT5q_DqSlH8t

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\manifest.fingerprint

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                Entropy (8bit):3.858534313092168
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:STED3DG7BRc6VANMdunDlGwpva:S+3y66qNMgDl1pC
                                                                                                                                                                                                                                                MD5:00336491D5151AE40C377A836A97D4E1
                                                                                                                                                                                                                                                SHA1:B66D1B09F3473DAC79E036F30C12003E1707E0A0
                                                                                                                                                                                                                                                SHA-256:3D4821C7C552D1D9F0A36859C34432433A7084B27D7928011B0534215EFFD3C9
                                                                                                                                                                                                                                                SHA-512:12E324A3782DC7928FC182C74D3E8CBE8FBF3D884D54A03C891775041B8FAF4B96F4F271C04E67AC3D6FE610F87F63FF5DCD04870AED92B2B470F73BD7AD38D4
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1.6af08fc2b0dd497e30e40290efcb817b9b1f7dc7f734ab1a9dd000ae01f36050

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_148406828\manifest.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):114
                                                                                                                                                                                                                                                Entropy (8bit):4.547350270682037
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:rR6TAulhFphifFHXG7LGMdv5HcDKhtUJKS1wA:F6VlMZWuMt5SKPS1wA
                                                                                                                                                                                                                                                MD5:9585CB6CAE92DF90F9FCE1091C6DA40A
                                                                                                                                                                                                                                                SHA1:FCA8BDED549311578C4623680159FFED831FC38B
                                                                                                                                                                                                                                                SHA-256:337415AF627A5C520DE87843330D5B49D8041E4BCD3154B5BEC1D2A1F5EB997E
                                                                                                                                                                                                                                                SHA-512:99192B2F98C559CE61CFE5796733A9DA01CF9B4CA966500ABDD71E35E18A3BF9B75CE5815E73F19D07F299E4BE2B8FC6B9F289D6BBBBF357B9C0D24622DB8207
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{. "manifest_version": 2,. "name": "Subresource Filtering Rules",. "ruleset_format": 1,. "version": "9.55.0".}

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\Google.Widevine.CDM.dll

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):2877728
                                                                                                                                                                                                                                                Entropy (8bit):6.868480682648069
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:49152:GB6BoH5sOI2CHusbKOdskuoHHVjcY94RNETO2WYA4oPToqnQ3dK5zuqvGKGxofFo:M67hlnVjcYGRNETO2WYA4oLoqnJuZI5
                                                                                                                                                                                                                                                MD5:477C17B6448695110B4D227664AA3C48
                                                                                                                                                                                                                                                SHA1:949FF1136E0971A0176F6ADEA8ADCC0DD6030F22
                                                                                                                                                                                                                                                SHA-256:CB190E7D1B002A3050705580DD51EBA895A19EB09620BDD48D63085D5D88031E
                                                                                                                                                                                                                                                SHA-512:1E267B01A78BE40E7A02612B331B1D9291DA8E4330DEA10BF786ACBC69F25E0BAECE45FB3BAFE1F4389F420EBAA62373E4F035A45E34EADA6F72C7C61D2302ED
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                                • Filename: ATT42345678_EBE15BD3-3790-4134-A07B-5CE56D3CA0592023-03-15T11-09-41.html, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: 438XXX5089.pdf, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Discord Nitro Gift Generator.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: .html, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: cndx.com.eml, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Fd-Employee-Handbook(1).pdf, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: ATT001_2674865722.htm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....fd.........." ......(..........A&.......................................,.......,...`A.........................................V*......V*......`,......`+..p....+. )...p,......D*.8....................C*.(.....(.8...........p\*..............................text.....(.......(................. ..`.rdata..h.....(.......(.............@..@.data....l....*..&....*.............@....pdata...p...`+..r....*.............@..@.00cfg..(.....+......p+.............@..@.gxfg....$....+..&...r+.............@..@.retplnel.... ,.......+..................tls.........0,.......+.............@....voltbl.D....@,.......+................._RDATA.......P,.......+.............@..@.rsrc........`,.......+.............@..@.reloc.......p,.......+.............@..B........................................................................................................................................

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1778
                                                                                                                                                                                                                                                Entropy (8bit):6.02086725086136
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:p/hCdQAdJjRkakCi0LXjX9mqjW6JmfQkNWQzXXf2gTs:RtQ1aaxXrjW6JuQEWQKas
                                                                                                                                                                                                                                                MD5:3E839BA4DA1FFCE29A543C5756A19BDF
                                                                                                                                                                                                                                                SHA1:D8D84AC06C3BA27CCEF221C6F188042B741D2B91
                                                                                                                                                                                                                                                SHA-256:43DAA4139D3ED90F4B4635BD4D32346EB8E8528D0D5332052FCDA8F7860DB729
                                                                                                                                                                                                                                                SHA-512:19B085A9CFEC4D6F1B87CC6BBEEB6578F9CBA014704D05C9114CFB0A33B2E7729AC67499048CB33823C884517CBBDC24AA0748A9BB65E9C67714E6116365F1AB
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJHb29nbGUuV2lkZXZpbmUuQ0RNLmRsbCIsInJvb3RfaGFzaCI6Im9ZZjVLQ2Z1ai1MYmdLYkQyWFdBS1E5Nkp1bTR1Q2dCZTRVeEpGSExSNWMifSx7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoiYk01YTJOU1d2RkY1LW9Tdml2eFdqdXVwZ05pblVGakdPQXRrLTBJcGpDZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6Im5laWZhb2luZGdnZmNqaWNmZmtncG1ubHBwZWZmYWJkIiwiaXRlbV92ZXJzaW9uIjoiMS4wLjI3MzguMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"KTPeHzS0ybFaz3_br3ASYWHjb6Ctul92067u2JMwtNYYm-4KxLiSkJZNBIzhm6hNSEW2p5kUEvHD0TjhhFGCZnWm9titj2bqJayCOAGxZb5BO74JJCRfy5Kwr1KSS4nvocsZepnHBmCiG2OV3by-Lyf1h1uU3X3bDfD92O0vJzrA8rwL2LrwIk-BolLo5nlM0I_MZwg8DhZ8SFBu9GGRVB2XrailDrv4SgupFE9gqA1HY6kjRjoyoAHbRRxZdBNNt9IKNdxNyaF9NcNRY8dAedNQ9Tw3YNp5jB7R9lcjO4knn58RdH2h_GiJ4l96StcXA4e7cqbJ77P-c

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\manifest.fingerprint

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                Entropy (8bit):3.974403644129192
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:SLVV8T+WSq2ykFDJp9qBn:SLVqZS5p0B
                                                                                                                                                                                                                                                MD5:D30A5BBC00F7334EEDE0795D147B2E80
                                                                                                                                                                                                                                                SHA1:78F3A6995856854CAD0C524884F74E182F9C3C57
                                                                                                                                                                                                                                                SHA-256:A08C1BC41DE319392676C7389048D8B1C7424C4B74D2F6466BCF5732B8D86642
                                                                                                                                                                                                                                                SHA-512:DACF60E959C10A3499D55DC594454858343BF6A309F22D73BDEE86B676D8D0CED10E86AC95ECD78E745E8805237121A25830301680BD12BFC7122A82A885FF4B
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1.c900ba9a2d8318263fd43782ee6fd5fb50bad78bf0eb2c972b5922c458af45ed

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1562856539\manifest.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):145
                                                                                                                                                                                                                                                Entropy (8bit):4.595307058143632
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:rR6TAulhFphifFooG+HhFFKS18CWjhXLXGPQ3TRpvF/FHddTcplFHddTcVYA:F6VlM5PpKS18hRIA
                                                                                                                                                                                                                                                MD5:BBC03E9C7C5944E62EFC9C660B7BD2B6
                                                                                                                                                                                                                                                SHA1:83F161E3F49B64553709994B048D9F597CDE3DC6
                                                                                                                                                                                                                                                SHA-256:6CCE5AD8D496BC5179FA84AF8AFC568EEBA980D8A75058C6380B64FB42298C28
                                                                                                                                                                                                                                                SHA-512:FB80F091468A299B5209ACC30EDAF2001D081C22C3B30AAD422CBE6FEA7E5FE36A67A8E000D5DD03A30C60C30391C85FA31F3931E804C351AB0A71E9A978CC0F
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{. "manifest_version": 2,. "name": "windows-mf-cdm",. "version": "1.0.2738.0",. "accept_arch": [. "x64",. "x86_64",. "x86_64h". ].}

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1792
                                                                                                                                                                                                                                                Entropy (8bit):6.019348476983808
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:p/hP+drAdRW37aktiyC2xCe69xqYGCRk7NOzPI4Ek:RSQw37anyC+CDGGccA4f
                                                                                                                                                                                                                                                MD5:0F48EA696FDF31DABB72FD4A472E4A93
                                                                                                                                                                                                                                                SHA1:A24862DAB4B7146073F74165D733E8EDA45C5185
                                                                                                                                                                                                                                                SHA-256:57645239B1AECD3BFF0EDF2C489A55221855D4DD690541F57129449D34DC2CE6
                                                                                                                                                                                                                                                SHA-512:1A32EE516B00800EBE49A17D0DC05A0A21589016A28A6B0CA2934A951DF0E09CDF46B75A9DE7AF62435807DF1EEB10F128284E03AD84A324F7F71EE9AD191CBF
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJtYW5pZmVzdC5qc29uIiwicm9vdF9oYXNoIjoib1hRamtrQnY5dDFiX1Jzc0NBNjJhNzEwZEZZYVl2MktzOHpZTUFXWEUxMCJ9LHsicGF0aCI6InByaXZhY3ktc2FuZGJveC1hdHRlc3RhdGlvbnMuZGF0Iiwicm9vdF9oYXNoIjoiSnBiZFpKbk9wY0tXZE1zWVhZQVozTzNJR1BDZkg1NzZaS1FqbjZWUEtfZyJ9XSwiZm9ybWF0IjoidHJlZWhhc2giLCJoYXNoX2Jsb2NrX3NpemUiOjQwOTZ9XSwiaXRlbV9pZCI6Im5paWtoZGdhamxwaGZlaGVwYWJoaGJsYWtiZGdlZWZqIiwiaXRlbV92ZXJzaW9uIjoiMjAyNS4zLjEyLjAiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"D1yGWCJ13w_a4aZS-GmRy1UaSnKuPyDaexx705PHm_LYjgxXA8UjTQ9bScleEJZkORAwk9gKs65NUkOIZOPGdPUDhQg3gDWqrESXFzPZk4RzaEwwlPh-33zUE0qWXcz4FwKu1WGN_Ok4HrKRgdihn7ea4OvP8VqvfNRP56CMpOuQxMLdGtj33weeTm9wBG2D-g2De2hqPBC6G0Jr9FnJ_wLkuNsuMmotIuVgQMViTCStpvxyrUiSyBwWdJH9By924Uu66zgVGLnpcv5tMoSwVylMy3ouQ3_lj2ul-hu5YJa7RzW2gOxCwb7ZtnFkfFx

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\manifest.fingerprint

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                Entropy (8bit):3.9364303497856072
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:SQ/SHHHWbcM8VH5DM/4+MlRddVGWSDn:SQ/+HNMEZR+MlPdVGWSD
                                                                                                                                                                                                                                                MD5:ABB7EA6FFEFB13622CB47C36A07B9175
                                                                                                                                                                                                                                                SHA1:E593E3B6161F9DF88BACBEF7987BF76F3A886FD5
                                                                                                                                                                                                                                                SHA-256:6AC28AE1C8DFDE9830AC0B6C6DF657731FB2C895701AFE13F5682F82C5C69137
                                                                                                                                                                                                                                                SHA-512:5F514012BDD35FB413288E161BD0277EB89AC8B0204C1D63603DDEF119946E77D71DCBFD5D2A7694D945595029538F43D0C00DABC2CE2820528EFAEBB121018B
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1.5c635bbbb3bfc63910e29a0be9ff5ee0990cca2d3aaa56e4f4cd2c480c81b7df

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\manifest.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):97
                                                                                                                                                                                                                                                Entropy (8bit):4.60145350054745
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:rR6TAulhFphifF1mYTdFKS1oMUm:F6VlMXdTHKS1oVm
                                                                                                                                                                                                                                                MD5:A6B4EE3137180CAD95E7BEFB62CBF122
                                                                                                                                                                                                                                                SHA1:FA26A56140944B21D6A1ECC7FB3EFC0D97D3EF23
                                                                                                                                                                                                                                                SHA-256:A1742392406FF6DD5BFD1B2C080EB66BBD7474561A62FD8AB3CCD8300597135D
                                                                                                                                                                                                                                                SHA-512:35AE8B940797600B727DACED0ACF856263D219697DB923747D745D990C8798ADA5159AC36544A6EC5952F74809D5489A371C6BB44325DEE7BBE52965240188E0
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{. "manifest_version": 2,. "name": "Privacy Sandbox Attestations",. "version": "2025.3.12.0".}

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_1778473901\privacy-sandbox-attestations.dat

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):7422
                                                                                                                                                                                                                                                Entropy (8bit):5.070572988249595
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:I+0f6TueVE9GihNKybjrbgfJsSCiJig+pBWh3zJmOlwy1T:R0f6TudccKybbghsSCeig+vW31m7YT
                                                                                                                                                                                                                                                MD5:BA9EB9F524A133FEB268463CE7BE918D
                                                                                                                                                                                                                                                SHA1:B91835A18402B8652939B5A25F8DDF1DBD0418A0
                                                                                                                                                                                                                                                SHA-256:5103766F23C8FE7FD12DC97F4B8671BC954943BCECFCA4842346E9F2F5FB27AD
                                                                                                                                                                                                                                                SHA-512:8FC4B4C4EDDC5EF2ADDAD4FBC52A289C5F59018AAD09A8891AE0F4457908153632B6575155A2256EA13754C1EB329AC9F93050316A3F27429B9CFAC06D9725A0
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:.........https://2k.com..https://33across.com..https://360yield.com..https://3lift.com..https://ad-score.com..https://ad.gt..https://adentifi.com..https://adform.net..https://adingo.jp..https://admatrix.jp..https://admixer.net..https://adnami.io..https://adnxs.com..https://adsafeprotected.com..https://adsrvr.org..https://adthrive.com..https://advividnetwork.com.Nhttps://aggregation-service-site-dot-clz200258-datateam-italy.ew.r.appspot.com..https://anonymised.io..https://aphub.ai..https://appier.net..https://avads.net..https://ayads.io..https://bidswitch.net..https://bidtheatre.net..https://bing.com..https://blendee.com..https://bounceexchange.com..https://bypass.jp..https://casalemedia.com..https://cdn-net.com..https://clickonometrics.pl..https://connected-stories.com..https://crcldu.com..https://creativecdn.com..https://criteo.com..https://ctnsnet.com..https://dabbs.net..https://daum.net..https://display.io..https://dotdashmeredith.com..https://dotomi.com..https://doubleclick.net..ht

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1425
                                                                                                                                                                                                                                                Entropy (8bit):5.984015066019505
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:24:pZRj/flTm6MHaGpqY14pFpNo5zkaoXs3jrDWJ4um6Sj3NFvLToXUlyEghoYruFW0:p/hyaI114p/NoBkakK+MzjvPknzhjrIR
                                                                                                                                                                                                                                                MD5:DB6B5E9AD82567AC91E385C844EE48E8
                                                                                                                                                                                                                                                SHA1:A036AB1A8414849A86251A2FF9BF6710A9C9F4E7
                                                                                                                                                                                                                                                SHA-256:52C7DEEAF3D58CD2DFCD83742FB8A98EA190A3D00D472A7CD7EEA5906DADC42C
                                                                                                                                                                                                                                                SHA-512:513302E49F532A452867CA04B090AB6E86D5DF1B05F0C5C66E2E79B04841244F020CDE23CC5112400E8DFC01F77301079749BD435F71791E98289F94E0C29BEB
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJkb3dubG9hZF9maWxlX3R5cGVzLnBiIiwicm9vdF9oYXNoIjoiQkJEaURlc3R5Zkk0NGlud1Job1pwcktTaklVRFFEYWE0N0VudExRY0JONCJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJXd0ZSSW5iRVhzeEQxTC1wcVJLOXIzcjhKaFVJZ2ZLZ0VabHl2XzI5aXJBIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoia2hhb2llYm5ka29qbG1wcGVlbWpoYnBiYW5kaWxqcGUiLCJpdGVtX3ZlcnNpb24iOiI2NyIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"kKjnK_PItzAiww4ew3TipZEHlREOkbr8UtbU-gA0Nty9dJxeCT89OutDvsrBvbjWbaELYjJeug3zH8EkBkgm-Ys03h0deA0OzuU19DjG67xldatYWg95ZaexcYoSRnyWpfBTZgvhO-9JLZxf36rYJVRQaQxUh6j9zRJAXBdfMtx2O3WZu4cZ2Bvza43OTYPpsEcxYmosdlns5P9vjb0JdlbFjHunCf44SjbNrjCpLZ6v5pTGp7wxROmCBO42Npsbvs4-LQpclOuAnfpe2KMpoP6gu_uMx7NPuSeBlecmdjrZmdrBs9TBEHCEC9vhB_gQk_9l3bG9saumEiiuzF25XA"},

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\download_file_types.pb

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):7983
                                                                                                                                                                                                                                                Entropy (8bit):5.140722973269124
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:192:C0aEW8SsWk/pvtHB3Nf5Y10k6QKEa4pmifL1YbAnz1BRsO6v:C0aEW8SsWk/pvtHB3Nf5YKk6QKEa4pmf
                                                                                                                                                                                                                                                MD5:D28B6246CBA1D78930D98B7B943D4FC0
                                                                                                                                                                                                                                                SHA1:4936EBC7DBE0C2875046CAC3A4DCAA35A7434740
                                                                                                                                                                                                                                                SHA-256:239557F40C6F3A18673D220534B1A34289021142DC9BA0D438A3A678333A0EC6
                                                                                                                                                                                                                                                SHA-512:B8DBEBE85E6D720C36DBDAE9395FB633FB7028FECC5292498AC89276AE87BD6DE36288FBF858F3476E18033A430F503ACF6280596449DD0478B6AB7139F3CEA6
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:.C...#<....jpg... .*.........jpeg... .*.........mp3... .*.........mp4... .*.........png... .*.........csv... .*.........ica... .*.........gif... .*.........txt... .*.........package... .*.........tif... .*.........webp... .*.........mkv... .*.........wav... .*.........mov... .*.........avif... .*.........swf.D .*.........spl.E .*.........crx.. .*.........001..... .*.........7z.4.. .*.....0.....ace..... .*.........arc..... .*.........arj.:.. .*.........b64..... .*.........balz..... .*.........bhx..... .*.........bin..... .*.....0.....bz..... .*.........bz2.8.. .*.........bzip2..... .*.........cab.... .*.........cpio.@.. .*.........fat..... .*.........gz.6.. .*.........gzip..... .*.........hfs..... .*.........hqx..... .*.........iso..... .*.....0.....lha.<.. .*.........lpaq1..... .*.........lpaq5..... .*.........lpaq8..... .*.........lzh.;.. .*.........lzma.?.. .*.........mim..... .*.........ntfs..... .*.........paq8f..... .*.........paq8jd..... .*.........paq8l..... .*.........paq8o....

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\manifest.fingerprint

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                Entropy (8bit):3.979439068908279
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:SRg4S5KgSEBWX0mRDUVnA0O:S24S5zJBQ/UVnA0O
                                                                                                                                                                                                                                                MD5:0A07A8A7914A071E6811D81670554730
                                                                                                                                                                                                                                                SHA1:81F0F6EC7A80017DEBC7DA02EE490F054D3E5D3F
                                                                                                                                                                                                                                                SHA-256:B60DE962335450BF4502F51F99568F5F7BF4F640F964E0B5ACCBE33C7099A919
                                                                                                                                                                                                                                                SHA-512:D6214E6D00C98B71677D8922917ACE7C16613876DBAA4F7A20A776843252F5752E85038CD9ED4B7F8DB8312FE6A04B82C8C4BD7EC7FB9A60DB4119941DC3B499
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1.44c97a8527ef50cab95a16c5e78cd321cbdf315726823afe7e0482af9eb18319

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_306068185\manifest.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):76
                                                                                                                                                                                                                                                Entropy (8bit):4.347669086800013
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:rR6TAulhFphifFRxJ1KnOFgS1bn:F6VlMDf1KqgS1b
                                                                                                                                                                                                                                                MD5:C08A4E8FE2334119D49CA6967C23850F
                                                                                                                                                                                                                                                SHA1:13C566B819D8E087246C80919E938EF2828B5DC4
                                                                                                                                                                                                                                                SHA-256:5B01512276C45ECC43D4BFA9A912BDAF7AFC26150881F2A0119972BFFDBD8AB0
                                                                                                                                                                                                                                                SHA-512:506F9F4FA4BAAA4096CE10007EB09CFA95C9188082053B9FF7F2DEC65164FF57506B6A8FEA28D58783700F257C982AEF037AFC33F62DA8DA281E67636430DC23
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{. "manifest_version": 2,. "name": "fileTypePolicies",. "version": "67".}

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1796
                                                                                                                                                                                                                                                Entropy (8bit):6.0168519411698735
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:p/hWPI1WeepFNms7ak7MR3BK8TRJkn7Jii:R/cz7a8I48TfgJii
                                                                                                                                                                                                                                                MD5:FF267B4EF9C5D2A8394AE2D403CC3203
                                                                                                                                                                                                                                                SHA1:B35FE56B6230487C83D22F92A31A29776C40A064
                                                                                                                                                                                                                                                SHA-256:BDB5F2482F28B9AC7E26433D85C65057D0CE22911785E42CE24B9755389F76E0
                                                                                                                                                                                                                                                SHA-512:163F03B1DC10D76CE6C0E3EF68BFAFE3AC328565918C11E1059641B7D18B0A1D6F28AE9016FF1D62D02637784E98A8FA223113A14BA7F8A7102E61F54360EE55
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJjcl9lbi11c181MDAwMDBfaW5kZXguYmluIiwicm9vdF9oYXNoIjoib1FPaGo5ZjFLbllWNWJWMVExcDhaZ1JzRnlodUpsXzRlaG5SSlJBZEF0RSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJ3ZjQ0aV92d0F5bUw2S3FoSFItbnhrQWxBZVpmU1FmSHlWaXlEa2tyeVkwIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoib2JlZGJiaGJwbW9qbmthbmljaW9nZ25tZWxtb29tb2MiLCJpdGVtX3ZlcnNpb24iOiIyMDI1MDMwNi43MzU5MjU5MzUuMTQiLCJwcm90b2NvbF92ZXJzaW9uIjoxfQ","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"hxUGbjbZiUcbf_JhOtq0pevc1gVgUSw0ZODOgQsy8y447rtKGkY3UNIRt3fyZuGIJ9021o6jE0PBJ0_TGO3OpLTgIyOQAcvQkNJiMcUEn0Jyw3BUCHxm__B_FI7hK0l3tZdqxU5fkogc-3Jf2hc6ZbkGfRoEh1mxEFP6HazEFI-omWdFEDrxJdAhfESD453QRRvY1nddIlI9N9BTG49pvZXxAAWEjMbzxrK6FGvUQN52lrzQjqbboHb11UhecmsJUJBnG2HMJrtZMgWZwDSc1xqhLn4FXwTTQTMU7JVgwnT3sp_7sfaa2Mq3tso

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\cr_en-us_500000_index.bin

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):7964974
                                                                                                                                                                                                                                                Entropy (8bit):6.571599738799289
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:98304:TIrPh8Ykn/v9cHdLBFopepotc6HpTRWQw0jemHHRyTWFnbS8TE:spknElXLl2pThL4Mfg
                                                                                                                                                                                                                                                MD5:BD043EB74B9890051327BA4E9EDB1575
                                                                                                                                                                                                                                                SHA1:13071B3B195C4BCB8E7999B99C5B947C6389A624
                                                                                                                                                                                                                                                SHA-256:C8EA03CFAD82BF705B53C22E52CEEF554CB3E80A0F6611FBC99390D4F92B435E
                                                                                                                                                                                                                                                SHA-512:203C76296E013323AB233226A9C364AFE986D8A306981543E7D80829096172AF4CC813A803E8B74211BD207EE615F868292C8BF3A85DD6BCBF0A05362335D62D
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:......w.....acB...yC. ..t].!..h#]0..f..A..g.|I..r.QQ..c..Y..e..n..n..t..l.(|..u.....d.@...p.....bA....z.....m=^...ii....s.....o.....v.....k.@...x.....j'Y...1.....5.8...qa....4WU...2....7.....9.....3C....6.~...8......m....0'....*A.......................M........ ......o....&.....................y...%.... ....... . ..........ngela aguilar.p..... .....$......G.....lafur darri .lafsson.....#......rsula corber.............7../............... to usdJ..... meaning........... to }....-...........Z.... .... ........................... 2025<.....r eldon.Z...sad.ra bjarkard.ttir barney.Q.... meaning.D.... meaning.=...................W....@......K...... meaning<...)....... .. .. ......(........ ...... p.... meaning.G........ . .............~....lker... . .... ..........@..... meaning,........ .....#.... meaning.....eviriz.....

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\manifest.fingerprint

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                Entropy (8bit):3.9134061964176325
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:SXDmlDQvMoTeHDcfQfRJoln:STvvMnc2gn
                                                                                                                                                                                                                                                MD5:258D32B110EB01367B1000761CA27125
                                                                                                                                                                                                                                                SHA1:F692414D09D9D6E04085215CB75B44722DB4218F
                                                                                                                                                                                                                                                SHA-256:0C1709B481B23407F9D31CA3E26AD6D3C29380449FC398FD035A33EE829840FF
                                                                                                                                                                                                                                                SHA-512:FFA8D385F3F559225EF6E70BC74471CFD9B88C8092EC1D5C64287042EF5932FB6C73CB8BC821A993970CA6B3A398A0FBF0E1A699C754D68ACAEDC38638D6341B
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1.2fd589c9cf873c7543a9e319731902bf659ed005c24296685683b0db536519bb

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_892981035\manifest.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):108
                                                                                                                                                                                                                                                Entropy (8bit):4.884633456613636
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:rR6TAulhFphifF0AAGAR3CKG/w/VpKS12OlJXQqn:F6VlMT2C7Y/VUS120JAqn
                                                                                                                                                                                                                                                MD5:74C8EE07C6F6EBBEB52977FA3D5831FC
                                                                                                                                                                                                                                                SHA1:9ED4DDAA5DBC3339A1AF7AB90817E97BD7D88AA9
                                                                                                                                                                                                                                                SHA-256:C1FE388BFBF003298BE8AAA11D1FA7C6402501E65F4907C7C958B20E492BC98D
                                                                                                                                                                                                                                                SHA-512:66093F8EE96BA0F56BBB77CB098BD525897557B11464BC5F95CED76F7CEA95B916B82D0A544EE4FD78FE650F2F173FCCB44F089B700CE09A2918920CEDAD863D
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{. "manifest_version": 2,. "name": "OnDeviceHeadSuggestENUS500000",. "version": "20250306.735925935.14".}

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\_metadata\verified_contents.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1805
                                                                                                                                                                                                                                                Entropy (8bit):6.024883607738449
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:p/h4uF8hr7akIQ2hWNW22oM3ItR0kpOg+G1F:ROuF8p7adWN12OtR0Lgnr
                                                                                                                                                                                                                                                MD5:576F86C13500904B2CFF79E7EE9813BF
                                                                                                                                                                                                                                                SHA1:A448BFCB7487342E71203F696C91364A881B1A07
                                                                                                                                                                                                                                                SHA-256:A6EDBEAD87C0D10CA54F31D719232D4766ECD85247C639097D68777812203BBB
                                                                                                                                                                                                                                                SHA-512:5AD87C8AF6C6A8DE90BB09E537EB04D343B7760E5692963C1CF8D6FFFDCD008165DAAECCA94510B591C2BB4C17BD64E48F93ED5277F38A87C53ADED0A7D46ED6
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJoaXN0b3J5X3NlYXJjaF9zdHJpbmdzX2Zhcm1oYXNoZWQuYmluYXJ5cGIiLCJyb290X2hhc2giOiJ1YTFtVjdKTl90enFQNm5uY3RTWUw5dDdLRTByc01MRExMSDZnR095NGM0In0seyJwYXRoIjoibWFuaWZlc3QuanNvbiIsInJvb3RfaGFzaCI6InRoLVdQczdGUDNkdnZudGVUSXpKM1l4eU5iNGtTV19CaFhmVmcyMzh1VHMifV0sImZvcm1hdCI6InRyZWVoYXNoIiwiaGFzaF9ibG9ja19zaXplIjo0MDk2fV0sIml0ZW1faWQiOiJwa29ta2RqcG1qZmJrZ2pqbW1haW9lZ2FvamdkYWhrbSIsIml0ZW1fdmVyc2lvbiI6IjYuNzQzMS45NjkyIiwicHJvdG9jb2xfdmVyc2lvbiI6MX0","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"MULn4zJoWgjGUovjaEHu5NdNW5uCggff98O6sYiY-a_-S7Ukq2rs9C8W20Ptv7UEhYotzE4oil8LYnY-UqU0ldSc1rW3zPuSq0noBsKqcWqb6LZPThWRJL7mu7NC6lU1LXtDjjA-v9Nckv93kI6GF4oXGWWD9TdTgM43sHL8NgyzSnplNmZFc5wPIRV0NETtKxxsH9xpq1koJOHX4QlDMHkBW1hgHTq3cxx4o_oUDOv2Z7tBDz0wrhoqfNNsB6S7XByGiqjggrMcVdKSNN-4M29i6MxtcUXiM4Ub6URQWqytMmMnvE

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\history_search_strings_farmhashed.binarypb

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):5798
                                                                                                                                                                                                                                                Entropy (8bit):3.599861932645689
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:96:E22zlb4j7OXw9g5qd49REHkN/v5zNnVUiic04saNJOkCDclgGNSrRnKjt3P:E2ilbC7Og9ga49Rnlv5zNn69cHhfOkEI
                                                                                                                                                                                                                                                MD5:07A6A55A8B1305A04B488B3433378A40
                                                                                                                                                                                                                                                SHA1:39249258EEA0473B37E468CCDB9C59D7B70B25B9
                                                                                                                                                                                                                                                SHA-256:A30999F36D840D218ED88CD402C072824EE11D141265BB66F972317075338DFE
                                                                                                                                                                                                                                                SHA-512:EAA73D7B069BBFDF9C5B8D3A84888587130CEC9F71EC3749B002C58D4C040818A6D9620B20D75B5215B045211E34092CCBB9D7EBDDCF43D7A30A82BEEB53C918
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:..2268878645..4150166211..3635766556..3100622694..2882857065..3113504532..4059982422..4190559762..490846406..472993679..746129187..3645806673..1587074553..3252136094..454137344..2485329947..1943545055..1560292331..1486366630..1790112295..68088445..239052483..663419390..2044611818..1818734386..1871588911..3661116714..3175320285..747058853..583773896..666111195..2266945682..1478812737..3751622037..4151348701..3296391498..2686649576..617189129..1814883064..41944762..626317099..3440834169..2196127073..640291836..2673380821..2169761756..3679871750..944943261..1583032654..2782972117..812563865..854749838..455904146..1251777507..2908954221..3422582911..3561876415..1990992201..3889187132..3501061295..4079828929..2683714405..2580287260..4018857391..133884271..3578942588..1542465893..2861684106..2400676353..2947221933..2418369878..550889930..4011599249..1197477470..2797574022..99329549..3815070852..2798633240..3378839655..2538816597..848749005..454704005..2817621037..4224936049..2114247913..3472

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\manifest.fingerprint

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                Entropy (8bit):3.878459128441013
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:STDjQccBkR+Y5xUd71n:SPjlkkYY5uBn
                                                                                                                                                                                                                                                MD5:226C19B7ABCCA37C5553C59906378234
                                                                                                                                                                                                                                                SHA1:8707E3D4D89E0C9103366A1553EAB54FA268D8D5
                                                                                                                                                                                                                                                SHA-256:47502668458687050B5C0B7651DEF5507590571536FE77EC8B613D3EC0DBE737
                                                                                                                                                                                                                                                SHA-512:1C30A40CCC6B05B915446CCB46C5A8EC1A2D0D77B458283E02CE91BF6734D9AD6C8EEBC62E03821B476307D4D219AFC6B0BA0D1DA81700DC9937CEB809C1DC10
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1.6f9945bb965ce4aef3427164fc19faf47a46b069dd2c9f1f931858445e1652a0

                                                                                                                                                                                                                                                C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping424_924195603\manifest.json

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):111
                                                                                                                                                                                                                                                Entropy (8bit):4.711410209193507
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:rR6TAulhFphifFCXc9hAxo6YXwEW7EUJHKS1ydcCHA:F6VlMDlpwEhU0S1ydcCg
                                                                                                                                                                                                                                                MD5:ACB265E0B9230EBC82351E2923EFC08B
                                                                                                                                                                                                                                                SHA1:1D2DA6BABC7723DFAC6E564AA1CA3C00A2F55608
                                                                                                                                                                                                                                                SHA-256:B61F963ECEC53F776FBE7B5E4C8CC9DD8C7235BE24496FC18577D5836DFCB93B
                                                                                                                                                                                                                                                SHA-512:F70EA258E4613350B389ACE5EBBD62479B5B71BA555EC064447E9CAA08DF71B449660841E688E46C0333DC88A3E5F00EC29AF21799E0787E6E7E822B913F7D89
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:{. "manifest_version": 2,. "name": "history_search_strings_farmhashed.binarypb",. "version": "6.7431.9692".}

                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                Entropy (8bit):5.278604351459561
                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                                File name:imagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                                                File size:1'112'576 bytes
                                                                                                                                                                                                                                                MD5:352c3764bb9f59d7b21cab61930be003
                                                                                                                                                                                                                                                SHA1:58a5f679d05c4d845ba83bd326d58b4223f76b6a
                                                                                                                                                                                                                                                SHA256:252adea6ee9da3c00b53667295d5ce774e827f3c5d5f300d223c71c202d18c16
                                                                                                                                                                                                                                                SHA512:393e087d04ae6f452dc817f2521436170e319e4f930b43614feb2b18769baeb45529b3440ee6c40c44330f7ad9463b572d39af7420749ed0756a3011d60536c8
                                                                                                                                                                                                                                                SSDEEP:12288:ug1uvhU8teOHpd+v6elhuScWfpHsajWu4sAnUe05REVkhH6:F0vuwVcuSzsajWu4sAnUeKH6
                                                                                                                                                                                                                                                TLSH:DF352D23F64FEAA1C1545FF3EE9B0C0053A8E6817717D65FB9CA236A18437BA9D41207
                                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................>.... ... ....@.. .......................`............`................................

                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                Icon Hash:20600f130303dc2a

                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Entrypoint:0x51003e
                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                Time Stamp:0x67D1109F [Wed Mar 12 04:42:07 2025 UTC]
                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x10fff00x4b.text
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x13e8.rsrc
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1140000xc.reloc
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                .text0x20000x10e0440x10e2001329329c1f338086e17d9ffd05521bb1False0.37042493347987043data5.272284190079922IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .rsrc0x1120000x13e80x140078d29247b980b49626680cf147ac4e03False0.3810546875data5.165273387331379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .reloc0x1140000xc0x2001b26fe84c0b480855879b363fea6489aFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                RT_ICON0x1121300xca8Device independent bitmap graphic, 24 x 64 x 32, image size 3072, resolution 5669 x 5669 px/m0.3506172839506173
                                                                                                                                                                                                                                                RT_GROUP_ICON0x112dd80x14data1.15
                                                                                                                                                                                                                                                RT_VERSION0x112dec0x410data0.39134615384615384
                                                                                                                                                                                                                                                RT_MANIFEST0x1131fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                                                                                Version Infos

                                                                                                                                                                                                                                                DescriptionData
                                                                                                                                                                                                                                                Translation0x0000 0x04b0
                                                                                                                                                                                                                                                CommentsGoogle Chrome
                                                                                                                                                                                                                                                CompanyNameGoogle LLC
                                                                                                                                                                                                                                                FileDescriptionGoogle Chrome
                                                                                                                                                                                                                                                FileVersion133.0.6943.54
                                                                                                                                                                                                                                                InternalNameimagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                                                LegalCopyrightCopyright 2025 Google LLC. All rights reserved.
                                                                                                                                                                                                                                                LegalTrademarks
                                                                                                                                                                                                                                                OriginalFilenameimagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                                                ProductNameGoogle Chrome
                                                                                                                                                                                                                                                ProductVersion133.0.6943.54
                                                                                                                                                                                                                                                Assembly Version133.0.6943.54

                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                No network behavior found

                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                Start time:08:20:46
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\imagine_Whatsapp_2025-03-12.img.exe"
                                                                                                                                                                                                                                                Imagebase:0x2a0000
                                                                                                                                                                                                                                                File size:1'112'576 bytes
                                                                                                                                                                                                                                                MD5 hash:352C3764BB9F59D7B21CAB61930BE003
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.951069315.0000000003B1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.959417545.0000000005E90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.918743441.00000000027D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                                Start time:08:20:50
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://adobe.com"
                                                                                                                                                                                                                                                Imagebase:0xb60000
                                                                                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                                Start time:08:20:50
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                Imagebase:0x7ff642da0000
                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                Start time:08:20:51
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                                                                                                                                                                Imagebase:0xc10000
                                                                                                                                                                                                                                                File size:42'064 bytes
                                                                                                                                                                                                                                                MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                                Start time:08:20:52
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://adobe.com/
                                                                                                                                                                                                                                                Imagebase:0x7ff778810000
                                                                                                                                                                                                                                                File size:3'388'000 bytes
                                                                                                                                                                                                                                                MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                                Start time:08:20:52
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1144
                                                                                                                                                                                                                                                Imagebase:0x450000
                                                                                                                                                                                                                                                File size:483'680 bytes
                                                                                                                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                                Start time:08:20:53
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2060,i,1785109057841810501,3028122236755377671,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2332 /prefetch:3
                                                                                                                                                                                                                                                Imagebase:0x7ff778810000
                                                                                                                                                                                                                                                File size:3'388'000 bytes
                                                                                                                                                                                                                                                MD5 hash:E81F54E6C1129887AEA47E7D092680BF
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                                                Start time:08:21:20
                                                                                                                                                                                                                                                Start date:17/03/2025
                                                                                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                Imagebase:0x7ff7c8b00000
                                                                                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 06970E10 Relevance: 3.1, Strings: 2, Instructions: 607COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960910508.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6920000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: fq$8
                                                                                                                                                                                                                                                  • API String ID: 0-1651916650
                                                                                                                                                                                                                                                  • Opcode ID: 7e953c4a07a9d6a6151fe8b94e4e0d86dbb3e4beb50880dc6c8493c70c5f1fd9
                                                                                                                                                                                                                                                  • Instruction ID: 5dd542bcb79efa9b7e9bf77eaee6d84b60997512dc609b9ed82de71b8d6c2946
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e953c4a07a9d6a6151fe8b94e4e0d86dbb3e4beb50880dc6c8493c70c5f1fd9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F52E475E00229CFDB64DF69C890AD9B7B1FB99300F1086EAD509A7355DB70AE81CF90
                                                                                                                                                                                                                                                  Function 066DF900 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: Dq
                                                                                                                                                                                                                                                  • API String ID: 0-144822681
                                                                                                                                                                                                                                                  • Opcode ID: 2d4a7e78442649750b891db902d01574dc3c94f4a56dd35e83cfcfe47f88b5ad
                                                                                                                                                                                                                                                  • Instruction ID: 58cf65e0aa91e97e22f4f2dff80e31a6f6a97eed8c06c4eada7191486d56fc00
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d4a7e78442649750b891db902d01574dc3c94f4a56dd35e83cfcfe47f88b5ad
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9D1B374E00258CFDB64DFA9D894B9DBBB2BF89300F1080A9D409AB365DB75AD85CF50
                                                                                                                                                                                                                                                  Function 066DF648 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: a075ad8fd6cab744297a8c97263ca99808d01f5638f2acaebae08ea0b620aedf
                                                                                                                                                                                                                                                  • Instruction ID: 17b021a7e10b38e860b2a646e6908c0e6e64cf565290990d774edffcbc42680a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a075ad8fd6cab744297a8c97263ca99808d01f5638f2acaebae08ea0b620aedf
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6514B74E04219CFDB44DFAAD585AAEBBF2FF88300F248129D406E7754DB34A942CB91
                                                                                                                                                                                                                                                  Function 066C0F2C Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: !
                                                                                                                                                                                                                                                  • API String ID: 0-2657877971
                                                                                                                                                                                                                                                  • Opcode ID: fa4308ea6751cc533897be9caf17f86ce3acbaaa9899550688cca67030b6be58
                                                                                                                                                                                                                                                  • Instruction ID: 4deb6872e75e2e7bc0614ef52961f40a33d95c64ecc84f1d5375cadcf6457252
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa4308ea6751cc533897be9caf17f86ce3acbaaa9899550688cca67030b6be58
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42112970A04229CFEBB4DF54C898BE9B6B5EB09314F0095EAA10DA3640CB759ED5CF61
                                                                                                                                                                                                                                                  Function 066C02B4 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: }
                                                                                                                                                                                                                                                  • API String ID: 0-4239843852
                                                                                                                                                                                                                                                  • Opcode ID: 3596f0e3e815c0246b2da67f9af0ad86f3b810a618a8c4c90c26ab3c29a7f06b
                                                                                                                                                                                                                                                  • Instruction ID: 31fe4276e542e7ef56ef964dddc13c49fbbe8d59ebebfdcdce6e9ec289312450
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3596f0e3e815c0246b2da67f9af0ad86f3b810a618a8c4c90c26ab3c29a7f06b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78015E74A01258CFDB60EF19D998B8AB7B1EB88300F1041E5A50EA3745DB305E81CF81
                                                                                                                                                                                                                                                  Function 00D62BB4 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 86bc667a53dfecfe4fa34497459fad4b3398e0a800f3030747679270de3d518c
                                                                                                                                                                                                                                                  • Instruction ID: 3e3a71d3f9801300b4d2797ce54a5e545f29a5c48b1c84ca5208a4d85fd996b4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 86bc667a53dfecfe4fa34497459fad4b3398e0a800f3030747679270de3d518c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96517E34A00904CFDB14DF69D848BAD77F2FB99315F2A8065E402AB3A9CB759C45CF60
                                                                                                                                                                                                                                                  Function 066D9B90 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 00e79f0af0eaca0dccae7c8782199477eb1342798645a98d9b3edd1a2303dddd
                                                                                                                                                                                                                                                  • Instruction ID: 9f44ba06c681d0150acfdef1acdc9b2180a5e6bd61f8da16ae53c5aace824176
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00e79f0af0eaca0dccae7c8782199477eb1342798645a98d9b3edd1a2303dddd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F510374E04219CFDB84DFA9D854AEEBBB6FB88300F10822AD416B7394DB745946CF94
                                                                                                                                                                                                                                                  Function 00D62BC0 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: f4272fcaa7bd8758e540ea6433e40b834cd172f4896a27bc9a80a8329731f7e1
                                                                                                                                                                                                                                                  • Instruction ID: 97544b40d4096a33aac6d8eeb32d6254497110b059c9164c77a0875dfcc72943
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4272fcaa7bd8758e540ea6433e40b834cd172f4896a27bc9a80a8329731f7e1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44515A34A00904CFD714DF69D848BAD77F2FB89315F2A8465E502AB3A9CB759C81CFA1
                                                                                                                                                                                                                                                  Function 066DF398 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 4578866586d8ec7612b3e3ab308539361fb0cdbee23d9079208afb5dee536abd
                                                                                                                                                                                                                                                  • Instruction ID: d47bdde6c7b88265435240b384653ffc50380f6e8441603c5f6a5a5e5e1b261e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4578866586d8ec7612b3e3ab308539361fb0cdbee23d9079208afb5dee536abd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A51F470E01208DFDB44EFA9D894AAEBBB2EF89300F11D429D416A7354DB786E45CF91
                                                                                                                                                                                                                                                  Function 00D61854 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fba2e6c436291bf49749ba86b40ce23e8e34c462bb4ab4d76372c0963cc3a824
                                                                                                                                                                                                                                                  • Instruction ID: d4d0261b61a3e83e4049a5f7ec6d6dc71c62df878eef9825f441b73c0a9aab31
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fba2e6c436291bf49749ba86b40ce23e8e34c462bb4ab4d76372c0963cc3a824
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5941DF38B001008FDB54DB29C444BAD7BE3BB88314F198569D006AB364DB789C86CBA4
                                                                                                                                                                                                                                                  Function 00D619CD Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e9df86f61d0345afd61d9dde862e8ec27df3f2f69a67b8592498cc9f3e8637e2
                                                                                                                                                                                                                                                  • Instruction ID: eee7f54b3da0fc78284b8ba659320a968272ae87861acdcf52f5a261a5e00c26
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9df86f61d0345afd61d9dde862e8ec27df3f2f69a67b8592498cc9f3e8637e2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49417C38B002148FDB54EB69D444BAD77F3BB98314F198569E006AB365DB38DC86CF64
                                                                                                                                                                                                                                                  Function 00D61921 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fc0c9d0572b81cd20463edde98bd8483828adf25cf291a85f11b27c7d7b919e9
                                                                                                                                                                                                                                                  • Instruction ID: 548f0365c86de0152fe842a50ed9c80de4f07afae67c5b135db45ece8db19a8a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc0c9d0572b81cd20463edde98bd8483828adf25cf291a85f11b27c7d7b919e9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8931AE38B002048FDB54DB69C444BAD7BF2BF98314F198969E4069B365DB78DC86CFA0
                                                                                                                                                                                                                                                  Function 00D6B580 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 7b40323b6497beccb721245d4993dd5453f74d1b8fe5b66a7f8dc3bc3f114084
                                                                                                                                                                                                                                                  • Instruction ID: 395a3c0c2550b9e98f200f2188ebe106c667a97c7ad23f548cd106ebb82cfe2c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b40323b6497beccb721245d4993dd5453f74d1b8fe5b66a7f8dc3bc3f114084
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E63129B0904209DFDB00DFA9C0597AEBBF1EB48314F20906AD006E3380DB748A84DFA1
                                                                                                                                                                                                                                                  Function 00C9D030 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917089380.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_c9d000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 4955bde83e1bb1cd598ba941d924b0e761c0b0f41497b23db35ad724c2dba53b
                                                                                                                                                                                                                                                  • Instruction ID: 3be34019ebaeca377167cf5ade685bd5dcac3d5fe8c096e68c8db6275abe4d9a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4955bde83e1bb1cd598ba941d924b0e761c0b0f41497b23db35ad724c2dba53b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86210472504344DFDF14DF14D9C8B2ABBA5FB84314F24C5A9E80A2B246C33AD957CBA2
                                                                                                                                                                                                                                                  Function 00C9D005 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917089380.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_c9d000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: f09b86328104f2ba0c4d31d2f2d9cc0b22a85affe5bfb6666b62fed630eb8449
                                                                                                                                                                                                                                                  • Instruction ID: dcb6ba967c03adc38d5ce590ef9d4859b5e997b56bb698ed65d19ca16186238e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f09b86328104f2ba0c4d31d2f2d9cc0b22a85affe5bfb6666b62fed630eb8449
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F215E7100D3C09FCB03CF24D994716BF71AB46310F2985EBD8458F2A7C23A991ACBA2
                                                                                                                                                                                                                                                  Function 066C2A8F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: daab5012b7262702ee5e2286b8f605ef5559cc31aa42e9a6e054e21416da5d1a
                                                                                                                                                                                                                                                  • Instruction ID: 6883334a9738ed2d79d0ef097318a96cb7de4c2f41d6a99c1efb6aaa92bdfe11
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: daab5012b7262702ee5e2286b8f605ef5559cc31aa42e9a6e054e21416da5d1a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84318274A14228CFEB64DF28C994E99BBB1FB48310F1082E9E91DA7315DB359E85CF50
                                                                                                                                                                                                                                                  Function 066C309C Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ba446e51dd91869fb03a3349d4d520cc5a5b6c36ef56f9fdea6afd9fd9725683
                                                                                                                                                                                                                                                  • Instruction ID: b09acf4c1e008290f5c64106b5615d82e31e520e245c7d1eeae6422a5bd0d929
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba446e51dd91869fb03a3349d4d520cc5a5b6c36ef56f9fdea6afd9fd9725683
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E811B774A40268CFDB64EF28C999A9DBBF1EB48304F1055EAE509A3345DF349E81CF45
                                                                                                                                                                                                                                                  Function 066C0359 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e4745dcd8b33bb96abdef05c0b9abeed6950d48c0897c03fc0c3b26bb744483d
                                                                                                                                                                                                                                                  • Instruction ID: 9a1f61e3d987c04160cb9e6ce3691b5d4b50cf86fa308997fc2f4efd48cef5a4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4745dcd8b33bb96abdef05c0b9abeed6950d48c0897c03fc0c3b26bb744483d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9201C2B4A016288FDB60DF18D988AA9B7B1FB49314F1144E9D80EA7B44D7749EC1CF81
                                                                                                                                                                                                                                                  Function 066C23B2 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b5998dda95ff81a0bda10c4cd81a2353c4d299ed4503f9ba6e00f118fcb52495
                                                                                                                                                                                                                                                  • Instruction ID: 836d11eec7786890129dcb215b17cbe24027c4fed8b44fca4e7dc6a8d5b5804a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5998dda95ff81a0bda10c4cd81a2353c4d299ed4503f9ba6e00f118fcb52495
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A501A274E092288FDB25DB18C994A99BBB1EB48200F1185D9E80EA7355CB38AE81DF50
                                                                                                                                                                                                                                                  Function 00D617E8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e1628cb43de701dedca477eaa1afb7bcff2d7d1fbd12642e0b5c30c62a9c78f3
                                                                                                                                                                                                                                                  • Instruction ID: 83968b97943505fe8eca4652a6f9298bc7c06724480c4d1c676b3b7ed0fe69bc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1628cb43de701dedca477eaa1afb7bcff2d7d1fbd12642e0b5c30c62a9c78f3
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FBF05838A09209DFCB90EF38D845A6E7BF0FB4A312B1585AAD446D3265D7388801DF50
                                                                                                                                                                                                                                                  Function 00D60860 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: f9edf8631d9ce8b21f38c36856109da945f9828a4bdb7f2944674244100dd1a4
                                                                                                                                                                                                                                                  • Instruction ID: c5af172b50096d97fddcdbc216281525db3e6b68fb5eeee36bd845a9279c1580
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9edf8631d9ce8b21f38c36856109da945f9828a4bdb7f2944674244100dd1a4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6BE0993004E7C59FC74347B998A91857F30AE0B22434A84EBD085CF8B3C6196829EB22
                                                                                                                                                                                                                                                  Function 066C2D27 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d4309db6ea62515fc2e66cd88cdc3fd65b02cf41bc89e0606973064ca053aa0b
                                                                                                                                                                                                                                                  • Instruction ID: bf29459d5d722b03e5f8d6b4dc20b569d0adf9936df7e7951740b2a5b036a71e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4309db6ea62515fc2e66cd88cdc3fd65b02cf41bc89e0606973064ca053aa0b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F06D30E0425DCFDB619F58C8487A8BBB1EB04318F1045E9D11D93680D7B95ECA9F42
                                                                                                                                                                                                                                                  Function 066D5CC0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 8c2b64c4b6c2e95094250f39bca652a421c7e152bfde491b3cfecba9fae4df18
                                                                                                                                                                                                                                                  • Instruction ID: 9ec50812d313b0344051fdb3fcf72dd8532b05cc5de359b27ce4f30f7b0645a9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c2b64c4b6c2e95094250f39bca652a421c7e152bfde491b3cfecba9fae4df18
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AE0C974D04208EFCB84DFA8D94569CBBF4FB49310F10C0AA9819A3350D6319A55DF80
                                                                                                                                                                                                                                                  Function 066DA540 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 8c2b64c4b6c2e95094250f39bca652a421c7e152bfde491b3cfecba9fae4df18
                                                                                                                                                                                                                                                  • Instruction ID: dd19470c3a5740457995b7971bcc9b930e6addaae2911903b394437b5393963e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c2b64c4b6c2e95094250f39bca652a421c7e152bfde491b3cfecba9fae4df18
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19E0ED74D04208EFCB84DFA8D8446ACFBF4EB49310F10C4AAD818A3351D6319E55DF81
                                                                                                                                                                                                                                                  Function 066DBF38 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 8c2b64c4b6c2e95094250f39bca652a421c7e152bfde491b3cfecba9fae4df18
                                                                                                                                                                                                                                                  • Instruction ID: e86a6dc41d1ed1b21b403e236887a29baef361282e937c0f02636e7614518c37
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c2b64c4b6c2e95094250f39bca652a421c7e152bfde491b3cfecba9fae4df18
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BE0ED75D04208EFCB84DFA8D8446ACFBF4FB89310F10C0AAD808A3350D6319A55DF84
                                                                                                                                                                                                                                                  Function 066DF8B0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 52138924f9eb9645ba0eeabe757ddf51ec1bb2c84c9adf1e352802eebd6c286c
                                                                                                                                                                                                                                                  • Instruction ID: 96e342c91bce16b82ba690cb2c5eba415e42fe17cd52ca135317152379536cd7
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52138924f9eb9645ba0eeabe757ddf51ec1bb2c84c9adf1e352802eebd6c286c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAE0E574E04208EFDB84DFA9D8446ACFBF8EB89300F10C1AA8819A3340D6319A16CF81
                                                                                                                                                                                                                                                  Function 066D9B40 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 52138924f9eb9645ba0eeabe757ddf51ec1bb2c84c9adf1e352802eebd6c286c
                                                                                                                                                                                                                                                  • Instruction ID: cdedb541a3791acd49e0030f61370e3ab18f7a8cdddfca74134a3c70ee461154
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52138924f9eb9645ba0eeabe757ddf51ec1bb2c84c9adf1e352802eebd6c286c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4E0ED74E04208EFDB84DFA8D4446ADFBF8EB49300F10C5A9881893381D6319A05DF80
                                                                                                                                                                                                                                                  Function 00D617F8 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 885bd46a9e263f848d5baebab3ea3d89bec9854b24f6992290a4e6815b8dad7d
                                                                                                                                                                                                                                                  • Instruction ID: bd2914e992b14da55adbd6e62c806e44da70c37ff8dd40cd93b605a119b373e4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 885bd46a9e263f848d5baebab3ea3d89bec9854b24f6992290a4e6815b8dad7d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DE09A34E01209DFC780EF78D848B2E7BF0BB08302F1480AAD80AD3365E7348801CB90
                                                                                                                                                                                                                                                  Function 066D8B98 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 88fed8b6bf4465885e2b8245e6813169ab17e56ed13ba72287005bb7797e546f
                                                                                                                                                                                                                                                  • Instruction ID: 3cb93461ccfe8024809137e169421a240a05c23b806978ab46a2a1f74c7d5c96
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88fed8b6bf4465885e2b8245e6813169ab17e56ed13ba72287005bb7797e546f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07E04F74D04208EFC744DF95D4846ACFBB8EB49200F10C0EEC85853381CA35AA46DF81
                                                                                                                                                                                                                                                  Function 00D6F7C8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 90c20d95455e1a5b4e29984d8e706a138bf28c8a4df81c10fc83abbc7d169826
                                                                                                                                                                                                                                                  • Instruction ID: b919dae3701e7a5095180356201cbb92a5640d03aa5c5082b88e9661a48915e0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90c20d95455e1a5b4e29984d8e706a138bf28c8a4df81c10fc83abbc7d169826
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CEE0C231400208FFEB01EFB0E908B9E77BCEB0A321F0008A6D408A3110EE318E089B91
                                                                                                                                                                                                                                                  Function 066DE098 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 069d623545c095b9768ca0136e04b53e32d1e371277218e38c61801a1015937c
                                                                                                                                                                                                                                                  • Instruction ID: 628e6d045ea455fb52a130dc15e2d43900640651637e7db86edd6f60af90a66f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 069d623545c095b9768ca0136e04b53e32d1e371277218e38c61801a1015937c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BE0EC34D48208EBD744DF94D9456ADBBB9BB46314F108199C80827391CA329E56DBC5
                                                                                                                                                                                                                                                  Function 066DDF70 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 069d623545c095b9768ca0136e04b53e32d1e371277218e38c61801a1015937c
                                                                                                                                                                                                                                                  • Instruction ID: b22a97217ebac6c4c4ed0c903d54aea65cb2fedf859b229939ba05b764c26c35
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 069d623545c095b9768ca0136e04b53e32d1e371277218e38c61801a1015937c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7E0C274D08208EFC704EF94D8406ACBBB8EF86300F108199C80823340CA319E06CF81
                                                                                                                                                                                                                                                  Function 066DB3F8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c99f2d765837284bc0ac38a82e0e2a3f9f6ae06ee552a85ee981b045a1a8a859
                                                                                                                                                                                                                                                  • Instruction ID: 44cd867700ca5ec86222c4d088a3be1bd1623a0c6946f618271f0770cfc6ffe0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c99f2d765837284bc0ac38a82e0e2a3f9f6ae06ee552a85ee981b045a1a8a859
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DE01272D41208ABE704FFB5C918BAE77FCAF46210F5048A5C54CA3150ED724A489B95
                                                                                                                                                                                                                                                  Function 00D61071 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9415a67e1cfcd63135f6d884b01ea497da1dfb6c46c4251a99ed2e6e514ef2ea
                                                                                                                                                                                                                                                  • Instruction ID: 0ef03c938859b17cebe3c42fbd09b94edec583974cc045dcdc2ced3ef105a051
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9415a67e1cfcd63135f6d884b01ea497da1dfb6c46c4251a99ed2e6e514ef2ea
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7DD0A736500511CBEF10BBA1DC1832E7334BB49725B894575C64353214CB64CE095BB6
                                                                                                                                                                                                                                                  Function 00D6F608 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: a15ee5d1cb28be03072fe11fd43300521bd0bb9f1afebe52e934660d6d6ed2b9
                                                                                                                                                                                                                                                  • Instruction ID: c2d73cedd650343d38809cbab44d4d703691c4be9cd9928cdf461ed829144435
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a15ee5d1cb28be03072fe11fd43300521bd0bb9f1afebe52e934660d6d6ed2b9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60C08C21084A4883E208BBE4B80E338329C9F0222DF482421E18C11460DE604448CA3A
                                                                                                                                                                                                                                                  Function 00D60890 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: bd60c7628a0a1169320d54b1542526e5dfd696d624237ed1b5ceab649c4faecc
                                                                                                                                                                                                                                                  • Instruction ID: cffe22b20c3b343c444b64b120b558e5f5f0a1d20bb2123df1e8f51e611ad079
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd60c7628a0a1169320d54b1542526e5dfd696d624237ed1b5ceab649c4faecc
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09900231045B0C8B454137D57D4D759775C95486257840052A50D455515A5564104695

                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                  Function 06926E5B Relevance: 1.6, Instructions: 1600COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmp, Offset: 06920000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.960910508.0000000006970000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6920000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b13db0913b37791ec3c5966d9f43b4828c87dfbedb3210be923f6386e2b78db8
                                                                                                                                                                                                                                                  • Instruction ID: addc405aacd923e1103fa836790917ad5eaf2f917a0332e12c396d071a4af2da
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b13db0913b37791ec3c5966d9f43b4828c87dfbedb3210be923f6386e2b78db8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0CC2CC6240E3D25FD7534BB89CB6AE17FB1EE2321471E08DBD0C09F867E218594AD762
                                                                                                                                                                                                                                                  Function 066DE0D8 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960331107.00000000066C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066C0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_66c0000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e5104018d7c9bc6119c2234c515f4bbbc80c59b281678da0c778cab89392019e
                                                                                                                                                                                                                                                  • Instruction ID: b44b7a016b6d471bc0821088b0f78051ab83bd05280d6b8ffbeae7b77220454a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5104018d7c9bc6119c2234c515f4bbbc80c59b281678da0c778cab89392019e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4912974E0421CCFEB64DFA5C844B9DBBF2BF4A304F1095A9D009AB250DB755986CF51
                                                                                                                                                                                                                                                  Function 00D6B6E0 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: bdb1d5aa6896db56650c95966af0c9beeccded2e47332313a1a06c8eaeffad24
                                                                                                                                                                                                                                                  • Instruction ID: 50aa2276ec111621720dc617a9654d17b6bee8c2033b6a1bf15c8d3dd2406698
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdb1d5aa6896db56650c95966af0c9beeccded2e47332313a1a06c8eaeffad24
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11710C70A002498FD718EF6AE854B9EBBF3BFC8304F14D12AD00597265EBB85905DF92
                                                                                                                                                                                                                                                  Function 00D6C070 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.917291956.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d60000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 693ea1a0111c99913b7c992ff13023bde903d0c8490502c5597d3dc02a74fcc5
                                                                                                                                                                                                                                                  • Instruction ID: a27f6870d16fb595d5fc25450b1f721bb12de76e627e2fc2bbfbb6de46878643
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 693ea1a0111c99913b7c992ff13023bde903d0c8490502c5597d3dc02a74fcc5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 714198B0D01628CBEB68CF6BCC58799FAF6BF89304F14C1A9C44CA6255DB740A85DF10
                                                                                                                                                                                                                                                  Function 06972890 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.960910508.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.960694466.0000000006920000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6920000_imagine_Whatsapp_2025-03-12.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 13fcb6f50e0b30eb9456405833e4226be3014485af04c420f1137f23f0310ce6
                                                                                                                                                                                                                                                  • Instruction ID: 0fe75dafd64f843b4245d2b8967d7d3ddb7c9bc876f278195e8c452eb99d751d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13fcb6f50e0b30eb9456405833e4226be3014485af04c420f1137f23f0310ce6
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1621FEB5D102489FDB14CFA9D980AEEFBF5FB49310F14901AE815B7250CB35AA01CFA4

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 02D81C41 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 5c9550954e7a3f01a021f94a66e22ec0cbae9a280475ad3e586e15e2741a6bb8
                                                                                                                                                                                                                                                  • Instruction ID: 56ae4c3b09767c2c5441d385fd550f5e94824b4baf9663889df62feb0790eb21
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c9550954e7a3f01a021f94a66e22ec0cbae9a280475ad3e586e15e2741a6bb8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DFB18C34A00104DFD754EF29D998BA9B7F2FB88710F2580A5E50A9B3A5CB71DC8ACF40
                                                                                                                                                                                                                                                  Function 02D82380 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: Dq
                                                                                                                                                                                                                                                  • API String ID: 0-144822681
                                                                                                                                                                                                                                                  • Opcode ID: a1361078d436cee6911e38bf1cb9f3129aaa40ce7a30f8d2616c2047bfa22c7e
                                                                                                                                                                                                                                                  • Instruction ID: 1f65e328c62656003c35d8facd9bb281c3e943ec7621346fdce87d81d3194376
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1361078d436cee6911e38bf1cb9f3129aaa40ce7a30f8d2616c2047bfa22c7e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2C1F235A002859FC755EF78D494A99BBF2FF8A320F1581AAD8419B3A5DB31EC41CF90
                                                                                                                                                                                                                                                  Function 02D82370 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: Dq
                                                                                                                                                                                                                                                  • API String ID: 0-144822681
                                                                                                                                                                                                                                                  • Opcode ID: 1e591336dc297f2472ac148246baaa8ae172ec4581441b1c9c3dae3cc9d5435d
                                                                                                                                                                                                                                                  • Instruction ID: 559ea2bd8af7b74f033af83f9c1d15d0ac51d3263870e7838097a7b07bc37903
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e591336dc297f2472ac148246baaa8ae172ec4581441b1c9c3dae3cc9d5435d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F619C74A006559FCB14EF2DD4A8A59BBF2FF88310B1581A9D846EB3A5DB31EC41CF90
                                                                                                                                                                                                                                                  Function 02D81760 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9a288c72b94f5dde2a157472a61f3e4a683c6b64d0333257c9957ff073a6e720
                                                                                                                                                                                                                                                  • Instruction ID: c6121fa683a9434a9f717559e32b863d35959578ccfa461f95446355b2874aaa
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a288c72b94f5dde2a157472a61f3e4a683c6b64d0333257c9957ff073a6e720
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E651AE34B00105DFDB10EB28D858BAA77F2EB88710F158579D10ADB3A4DB74DC8ACB91
                                                                                                                                                                                                                                                  Function 02D81731 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: f8bf2e226580f06aa8bf079d7a03f30319928fd7730dc5f46224a92204ef7a98
                                                                                                                                                                                                                                                  • Instruction ID: 88184550491ce6cd1a46e19c32cbdb4d80e74a3f73e21a6a5c844a292dc951ce
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f8bf2e226580f06aa8bf079d7a03f30319928fd7730dc5f46224a92204ef7a98
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB51B134B04205DFDB10EB28C858BAA37F2FB89314F254169D04ADB7A5DB75DC8ACB51
                                                                                                                                                                                                                                                  Function 0129D3B4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2731812610.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_129d000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 0a3d24bcdc6a7a49084f58ad1d5f3339f349f88da0daaf1822b901cac5cbb374
                                                                                                                                                                                                                                                  • Instruction ID: d9447ab3c88cd761691cb09432bb055811f54f94479236366c199205db89fdb9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a3d24bcdc6a7a49084f58ad1d5f3339f349f88da0daaf1822b901cac5cbb374
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A214571510248DFDF05DF58D9C0B66BB61FB84314F20C569E9090B246C376E456DBA2
                                                                                                                                                                                                                                                  Function 02D81AD8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 79ce0650f359fea31dd83207c01d83108be7e46c92bc4985e12d28373c37f00b
                                                                                                                                                                                                                                                  • Instruction ID: 5c0def003ef7300c6542418e8a46538d0b5a95094cc63ca511ad31d82543e7bc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79ce0650f359fea31dd83207c01d83108be7e46c92bc4985e12d28373c37f00b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 821188317042048FD750AB7DE858BA677E6EBC6B24F6940B6D00EC7319DA71EC4ACB61
                                                                                                                                                                                                                                                  Function 02D856EF Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 345a562ddc455769e42070edd964043e17f953723b62f069820b7f82bf340158
                                                                                                                                                                                                                                                  • Instruction ID: ca8b165af0b16815324daa87e1db29975a664d03186bd9b37bc77276c24f804a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 345a562ddc455769e42070edd964043e17f953723b62f069820b7f82bf340158
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F21A274D08208DFEB10EFA8E4883AD7BF5FB09308FA580A9C04997748D7788984CF51
                                                                                                                                                                                                                                                  Function 02D81660 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 12ee17ecf69a70a7a07d046ad7c7f2c24896d318592cb8de453ad3b3d369eb9e
                                                                                                                                                                                                                                                  • Instruction ID: 7f3e6ea60381b1e6058606704527c26c4d48038c076226c159d0f016c099582e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12ee17ecf69a70a7a07d046ad7c7f2c24896d318592cb8de453ad3b3d369eb9e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89212970D09289EFCB41EFB9D995688BFF1AF86300F1980EAC088D7265D7359A49CB11
                                                                                                                                                                                                                                                  Function 0129D3AF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2731812610.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_129d000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: baab7f8d123f28d322c4ffd644cf3688b32af57504046ee8038241dcee65357b
                                                                                                                                                                                                                                                  • Instruction ID: 4cf4ccd3fd763c319e4e1c32a41576a5455cd8187f25fc84918c1c4b39d4ea40
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: baab7f8d123f28d322c4ffd644cf3688b32af57504046ee8038241dcee65357b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1011DF76404284CFCF06CF58D5C0B56BF71FB84314F24C5A9D9090B656C336E456DBA1
                                                                                                                                                                                                                                                  Function 02D81BA0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: a5f9379eb3e2fb3d29ca3db5813a2751e6a787f16daed30057ae8b3984e7ffe0
                                                                                                                                                                                                                                                  • Instruction ID: d6eedfb3acf342cc264559e136bc441b591fec0c0ef1809fa4529c27ed59bd79
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5f9379eb3e2fb3d29ca3db5813a2751e6a787f16daed30057ae8b3984e7ffe0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E11C0342012048FD710EB3DE848B56B7E6FB86321F0546FAD109CB764D771AC46CB90
                                                                                                                                                                                                                                                  Function 02D85700 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: cdb8eebf60b40bba32708aafc5254c9e3704e66860eb7ca3cff8456433211bb7
                                                                                                                                                                                                                                                  • Instruction ID: fb3d33e833df4b3ad5a4486dff5284241e1020e1c3501333cb01c757c5f553b5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cdb8eebf60b40bba32708aafc5254c9e3704e66860eb7ca3cff8456433211bb7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D115B74904108DFEB20EFA8E4883ADBBF5FB44349F96C0A9C40A97748D7788984CB51
                                                                                                                                                                                                                                                  Function 02D81688 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d5687329d741cce11067e79afe543ad49d276186f7fbdc5265036782c54816b9
                                                                                                                                                                                                                                                  • Instruction ID: 0d40633e81e0d5750a8453020530f4812ef1d6578e1d53c1faefb6d695825d06
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5687329d741cce11067e79afe543ad49d276186f7fbdc5265036782c54816b9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A511C570D01208EFDB44EFA9E58669CBBF5FB84301F1481AAC449A7314E7719E8ACF41
                                                                                                                                                                                                                                                  Function 02D81BB0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 35392d9ae4ba44d026adf4105339790f2af03efa686ed5add45490877daf160c
                                                                                                                                                                                                                                                  • Instruction ID: 43aba7c19bff9ba4884219ae5a52fad6bd4b36f09270673468ce254191846c4d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35392d9ae4ba44d026adf4105339790f2af03efa686ed5add45490877daf160c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1014B357011048FD760EA6AE408B66B3E6EBC5721F0585BAE10DC7754D775EC46CB90
                                                                                                                                                                                                                                                  Function 02D80942 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 46ab855fbe50723512a48cc9ba1f42a01cec7968e09ea9dc524a4f8ed5ef5add
                                                                                                                                                                                                                                                  • Instruction ID: b24caaf0c6f8defc26a3179e903545eac4716b10f1527be35ad965c01e873b4e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 46ab855fbe50723512a48cc9ba1f42a01cec7968e09ea9dc524a4f8ed5ef5add
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B016D31904241CFF710FF26E888A50BBF4FF0971574A41AAD94A9B31AD731AD09CF80
                                                                                                                                                                                                                                                  Function 02D82AF6 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 10585796d57d00fed791deaa0fadf430c186cb230e4296f161efa04e1326e73b
                                                                                                                                                                                                                                                  • Instruction ID: 56200c0faea0f8d800aa4dea051a9d6941ede620d7cb6ef4f8a28cd360e4d8e2
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10585796d57d00fed791deaa0fadf430c186cb230e4296f161efa04e1326e73b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8F03A39710185DFDB11EBA8D8899FDB7B2EB49320F658566E852AB3E0CB30DC41CB11
                                                                                                                                                                                                                                                  Function 02D87ECE Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 076fdb281fa26ad0ca1872c84eec9e4ad645c337ce52785e6db08c3f98823e57
                                                                                                                                                                                                                                                  • Instruction ID: 1c90c9a10166f261131140a1d1b9b8038d3682ffe68d1e27c8c46c4f4e9cf123
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 076fdb281fa26ad0ca1872c84eec9e4ad645c337ce52785e6db08c3f98823e57
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DBE09A74E042149BDB6AAB75F8DC22977AAFB88309F858465B51EC6348DFB59D40CB00
                                                                                                                                                                                                                                                  Function 02D81A50 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fa7e5f62b2c84ec8a4b43d3207c46cf01e9f165da460b88854ade0524a7a25b8
                                                                                                                                                                                                                                                  • Instruction ID: 1716457f3acacff302b4a02c3008e4c29a07f8e02901fb1f1a7b1f8eeaf75fa6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa7e5f62b2c84ec8a4b43d3207c46cf01e9f165da460b88854ade0524a7a25b8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0E012319082C54EDF17F735B5DC7543FA0AF57314F0444CAC0418B596DE2A5959C712
                                                                                                                                                                                                                                                  Function 02D8CF50 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e398e23df09561457db479b90ae41a249c3186c2dace60f16b9a54b8d6aae673
                                                                                                                                                                                                                                                  • Instruction ID: 3f6a6b2483192806ea85f0ae07bdb67cd592da49cb458af7078eae069f69f31a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e398e23df09561457db479b90ae41a249c3186c2dace60f16b9a54b8d6aae673
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02A0223008AB0C83C20033B03080022338C8800208BC000B8820C08B200833F8B08AA0
                                                                                                                                                                                                                                                  Function 02D80950 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2733918578.0000000002D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_2d80000_InstallUtil.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c7df17f3099abcbe4a9cdcb8d0bb49be65d68c3f5299d887b29cfd11bfd69bab
                                                                                                                                                                                                                                                  • Instruction ID: 49b07aeca80994e9b4b0dc11786389edef1b430b007e694c2e74aae031e4efbf
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7df17f3099abcbe4a9cdcb8d0bb49be65d68c3f5299d887b29cfd11bfd69bab
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB90023144464D8B86903796748D555779CA544E157840151A90E4150A5E59641447D9