Windows Analysis Report
SharcHack.exe

AI detected suspicious sample

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SharcHack.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC31A40 CryptReleaseContext,SIaa0f8e0c251cfd1d,	3_2_6BC31A40
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCF69D0 SIffb8076c269e2a85,SI8b0d9e6837e61abc,SIffb8076c269e2a85,SI8b0d9e6837e61abc,CryptCreateHash,GetLastError,SIdb45e174afb28e2c,SI905dcc543d48caab,CryptHashData,GetLastError,SIdb45e174afb28e2c,SI905dcc543d48caab,CryptDeriveKey,GetLastError,SI9a326fe0ddbebf12,SI1bf8975e567ea97a,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,SIaa0f8e0c251cfd1d,SIaa0f8e0c251cfd1d,CryptDestroyKey,CryptDestroyHash,	3_2_6BCF69D0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCFF920 sqlite3_cryptoapi_init,CryptReleaseContext,SIaa0f8e0c251cfd1d,CryptAcquireContextW,GetLastError,SIdb45e174afb28e2c,	3_2_6BCFF920

Source: SharcHack.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.21.73.97:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: v2.exe, v2.exe, 00000003.00000002.1798285981.0000000005242000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.2.dr
Source:	Binary string: rop.pdb source: VegaStealer_v2.exe, 00000002.00000003.1693877532.00000000031BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdb source: VegaStealer_v2.exe, 00000002.00000003.1698196259.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.SqlServer.dll.2.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: v2.exe, v2.exe, 00000003.00000002.1799619279.0000000006032000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.2.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: v2.exe, 00000003.00000002.1792575261.0000000002C92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :.pdbSH source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdb source: VegaStealer_v2.exe, 00000002.00000003.1697626414.0000000003411000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.dll.2.dr
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdbSHA256$ source: VegaStealer_v2.exe, 00000002.00000003.1698196259.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.SqlServer.dll.2.dr
Source:	Binary string: pto.pdb source: VegaStealer_v2.exe, 00000002.00000003.1694962853.00000000031B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1698528738.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdb source: v2.exe, v2.exe, 00000003.00000002.1801147444.0000000007A72000.00000002.00000001.01000000.0000000C.sdmp, BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1697626414.0000000003411000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.dll.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.Linq.2010\Release\System.Data.SQLite.Linq.pdb source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.Linq.dll.2.dr
Source:	Binary string: .pdbSHA2562$ source: VegaStealer_v2.exe, 00000002.00000003.1698277014.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb` source: VegaStealer_v2.exe, 00000002.00000003.1691516115.0000000002D81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :.pdb source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1801147444.0000000007A72000.00000002.00000001.01000000.0000000C.sdmp, BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: System.pdb source: v2.exe, 00000003.00000002.1792575261.0000000002C92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Crypto.pdb source: VegaStealer_v2.exe, 00000002.00000003.1694962853.00000000031B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.EF6.2010\Release\System.Data.SQLite.EF6.pdb source: VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1799619279.0000000006032000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.2.dr

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 172.67.209.71 172.67.209.71

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: freegeoip.app
Source: global traffic	DNS traffic detected: DNS query: ipbase.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Dec 2024 21:47:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 2985Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01JG51CS0DGXTQGC70P19QW1Y0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e8%2BcaaQ5uBcIVmC4kiaEShJa64t6bolyDyKZ6jgNM%2BqaQoKJ4smN%2FQBiV00HW69unRYSvYvrNI6OVJ3UmGSvc0HOSOycSuADxMJhFR9x39KJf8YRuoME1zqcD601"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f8c81d97d6c428b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1602&rtt_var=708&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2819&recv_bytes=678&delivery_rate=1436301&cwnd=240&unsent_bytes=0&cid=da465c954db9dbe6&ts=587&x=0"

Source: VegaStealer_v2.exe, 00000002.00000003.1698528738.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.di
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: VegaStealer_v2.exe, 00000002.00000003.1691516115.0000000002D81000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1693877532.00000000031BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crPl3.d
Source: VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.d
Source: VegaStealer_v2.exe, 00000002.00000003.1699963167.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert
Source: VegaStealer_v2.exe, 00000002.00000003.1691516115.0000000002D81000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1693877532.00000000031BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.cPom/D
Source: VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com
Source: VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: System.Data.SQLite.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micr
Source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micro
Source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microso
Source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsof
Source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft
Source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, v2.exe.2.dr	String found in binary or memory: http://ip-api.com/json/?fields=61439
Source: v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=61439d
Source: v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fieldsT
Source: v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comd
Source: v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.commi
Source: Newtonsoft.Json.dll.2.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: v2.exe, 00000003.00000002.1801026072.0000000007751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.0/
Source: VegaStealer_v2.exe, 00000002.00000003.1698528738.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.c
Source: VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1692241734.000000000308B000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, Newtonsoft.Json.dll.2.dr, SQLite.Interop.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr, System.Data.SQLite.dll.2.dr, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: v2.exe, 00000003.00000002.1792575261.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
Source: v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe.2.dr	String found in binary or memory: https://freegeoip.app/xml/9https://api.telegram.org/botGhttps://api.vimeworld.ru/user/name/1--------
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: https://github.com/novotnyllc/bc-csharp
Source: v2.exe, 00000003.00000002.1792575261.0000000002B79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com
Source: v2.exe, 00000003.00000002.1792575261.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com/xml/
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe.2.dr	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id
Source: v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1796779654.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, History.txt.3.dr, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: v2.exe, 00000003.00000002.1796779654.0000000003B7B000.00000004.00000800.00020000.00000000.sdmp, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2T
Source: v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2T~R
Source: v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1796779654.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, History.txt.3.dr, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: v2.exe, 00000003.00000002.1796779654.0000000003B7B000.00000004.00000800.00020000.00000000.sdmp, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: System.Data.SQLite.dll.2.dr	String found in binary or memory: https://system.data.sqlite.org/
Source: VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1798373548.00000000052A4000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.2.dr	String found in binary or memory: https://system.data.sqlite.org/X
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, v2.exe.2.dr, Information.txt.3.dr	String found in binary or memory: https://t.me/VegaStealer_bot
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe.2.dr	String found in binary or memory: https://t.me/VegaStealer_bot-/sendDocument?chat_id=
Source: System.Data.SQLite.dll.2.dr	String found in binary or memory: https://urn.to/r/sds_see
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, History.txt0.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: v2.exe, 00000003.00000002.1796779654.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, tmp908B.tmp.tmpdb.3.dr, tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: v2.exe, 00000003.00000002.1796779654.0000000003C31000.00000004.00000800.00020000.00000000.sdmp, tmp908B.tmp.tmpdb.3.dr, tmp91C9.tmp.tmpdb.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.2.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: v2.exe, v2.exe, 00000003.00000002.1799619279.0000000006032000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.2.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1803093953.000000006BD4C000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	String found in binary or memory: https://www.sqlite.org/copyright.html2
Source: VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/lang
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr	String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/lang_c
Source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr	String found in binary or memory: https://www.sqlite.org/lang_corefunc.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.21.73.97:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: v2.exe.2.dr, Screen.cs

.Net Code: GetScreen

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

System Summary

Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detect the Lighting infostealer based on specific strings Author: Sekoia.io
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detect the Lighting infostealer based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects A310Logger Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_05246B97	3_2_05246B97
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_06032974	3_2_06032974
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCB5D80	3_2_6BCB5D80
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC7EBD0	3_2_6BC7EBD0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCE1B80	3_2_6BCE1B80
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC31B10	3_2_6BC31B10
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC12AD0	3_2_6BC12AD0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCF3A90	3_2_6BCF3A90
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC86AA0	3_2_6BC86AA0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCDDA50	3_2_6BCDDA50
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC66A70	3_2_6BC66A70
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC26930	3_2_6BC26930
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC24870	3_2_6BC24870
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC6D800	3_2_6BC6D800
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC80810	3_2_6BC80810
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC08FEE	3_2_6BC08FEE
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC43FA0	3_2_6BC43FA0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCDFE40	3_2_6BCDFE40
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC10E77	3_2_6BC10E77
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC46DD0	3_2_6BC46DD0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC37D70	3_2_6BC37D70
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC0FCF9	3_2_6BC0FCF9
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC67C90	3_2_6BC67C90
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCF6C50	3_2_6BCF6C50
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCAF3A0	3_2_6BCAF3A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC17340	3_2_6BC17340
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCC1340	3_2_6BCC1340
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC4E350	3_2_6BC4E350
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC1024A	3_2_6BC1024A
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC76260	3_2_6BC76260
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC1C1C0	3_2_6BC1C1C0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC1B180	3_2_6BC1B180
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCF7150	3_2_6BCF7150
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCE2100	3_2_6BCE2100
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCBC0C0	3_2_6BCBC0C0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC250A0	3_2_6BC250A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC1B050	3_2_6BC1B050
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC3D7C0	3_2_6BC3D7C0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC1079B	3_2_6BC1079B
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC83760	3_2_6BC83760
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC246F0	3_2_6BC246F0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCA86A0	3_2_6BCA86A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC0B5D1	3_2_6BC0B5D1
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC3A5F0	3_2_6BC3A5F0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC04589	3_2_6BC04589
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCC75B0	3_2_6BCC75B0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC30550	3_2_6BC30550
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC12491	3_2_6BC12491
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC1A4A0	3_2_6BC1A4A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BCD04A0	3_2_6BCD04A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC17440	3_2_6BC17440
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC82400	3_2_6BC82400
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_0108C558	3_2_0108C558

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: String function: 6BC59320 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: String function: 6BC7FC90 appears 191 times

Source: SharcHack.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SharcHack.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: SharcHack.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_lighting author = Sekoia.io, description = Detect the Lighting infostealer based on specific strings, creation_date = 2022-04-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/04/05/inside-lightning-stealer/, id = 3c160c16-f417-4fa2-aa44-fb7b981fb2b3
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: infostealer_win_lighting author = Sekoia.io, description = Detect the Lighting infostealer based on specific strings, creation_date = 2022-04-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/04/05/inside-lightning-stealer/, id = 3c160c16-f417-4fa2-aa44-fb7b981fb2b3
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207

Source: v2.exe.2.dr, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/43@3/3

Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe

Code function: 1_2_00401F48 FindResourceA,SizeofResource,LoadResource,LockResource,FreeResource,

1_2_00401F48

Source: C:\Users\user\AppData\Local\Temp\v2.exe

File created: C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\SharcHack.exe

File created: C:\Users\user\AppData\Local\Temp\SharcHack.exe

Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SharcHack.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\SharcHack.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: v2.exe, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: v2.exe	Binary or memory string: CREATE TABLE {0}(x);
Source: 1a476fd9-290d-4458-a6ca-4fc425eee287.3.dr, tmp9147.tmp.dat.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SharcHack.exe

ReversingLabs: Detection: 94%

Source: v2.exe

String found in binary or memory: /configuration/appSettings/add[@key='{0}']

Source: unknown	Process created: C:\Users\user\Desktop\SharcHack.exe "C:\Users\user\Desktop\SharcHack.exe"
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\SharcHack.exe "C:\Users\user\AppData\Local\Temp\SharcHack.exe"
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe "C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process created: C:\Users\user\AppData\Local\Temp\v2.exe "C:\Users\user\AppData\Local\Temp\v2.exe"
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\SharcHack.exe "C:\Users\user\AppData\Local\Temp\SharcHack.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe "C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process created: C:\Users\user\AppData\Local\Temp\v2.exe "C:\Users\user\AppData\Local\Temp\v2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\SharcHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SharcHack.exe

Static file information: File size 8223744 > 1048576

Source: SharcHack.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x7d5a00

Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: v2.exe, v2.exe, 00000003.00000002.1798285981.0000000005242000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.2.dr
Source:	Binary string: rop.pdb source: VegaStealer_v2.exe, 00000002.00000003.1693877532.00000000031BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdb source: VegaStealer_v2.exe, 00000002.00000003.1698196259.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.SqlServer.dll.2.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1802899353.000000006BD1F000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: v2.exe, v2.exe, 00000003.00000002.1799619279.0000000006032000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.2.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: v2.exe, 00000003.00000002.1792575261.0000000002C92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :.pdbSH source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdb source: VegaStealer_v2.exe, 00000002.00000003.1697626414.0000000003411000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.dll.2.dr
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdbSHA256$ source: VegaStealer_v2.exe, 00000002.00000003.1698196259.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.SqlServer.dll.2.dr
Source:	Binary string: pto.pdb source: VegaStealer_v2.exe, 00000002.00000003.1694962853.00000000031B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1698528738.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdb source: v2.exe, v2.exe, 00000003.00000002.1801147444.0000000007A72000.00000002.00000001.01000000.0000000C.sdmp, BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1697626414.0000000003411000.00000004.00000020.00020000.00000000.sdmp, EntityFramework.dll.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.Linq.2010\Release\System.Data.SQLite.Linq.pdb source: VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.Linq.dll.2.dr
Source:	Binary string: .pdbSHA2562$ source: VegaStealer_v2.exe, 00000002.00000003.1698277014.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb` source: VegaStealer_v2.exe, 00000002.00000003.1691516115.0000000002D81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :.pdb source: VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1801147444.0000000007A72000.00000002.00000001.01000000.0000000C.sdmp, BouncyCastle.Crypto.dll.2.dr
Source:	Binary string: System.pdb source: v2.exe, 00000003.00000002.1792575261.0000000002C92000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Crypto.pdb source: VegaStealer_v2.exe, 00000002.00000003.1694962853.00000000031B3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.EF6.2010\Release\System.Data.SQLite.EF6.pdb source: VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1799619279.0000000006032000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.2.dr

Source: v2.exe.2.dr

Static PE information: 0xA1167174 [Mon Aug 23 02:56:52 2055 UTC]

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_6BC0F76D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_6BC0F76D

Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Code function: 1_2_00401C72 push 00401CA0h; ret	1_2_00401C98
Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Code function: 1_2_00401C74 push 00401CA0h; ret	1_2_00401C98
Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Code function: 1_2_00402074 push 0040209Ah; ret	1_2_00402092
Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Code function: 1_2_00401BDC push 00401C08h; ret	1_2_00401C00
Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Code function: 1_2_004019F4 push 00401A2Eh; ret	1_2_00401A26
Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Code function: 1_2_00401B98 push 00401BD0h; ret	1_2_00401BC8
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC07B85 push ecx; ret	3_2_6BC07B98
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_010846A9 pushfd ; iretd	3_2_010846B5
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_01082D68 pushfd ; iretd	3_2_01082D79

Source: C:\Users\user\Desktop\SharcHack.exe	File created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\EntityFramework.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SharcHack.exe	File created: C:\Users\user\AppData\Local\Temp\SharcHack.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\v2.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SharcHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\v2.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe.2.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595713	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595151	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Window / User API: threadDelayed 8199			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Window / User API: threadDelayed 1613			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EntityFramework.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe	API coverage: 9.7 %
Source: C:\Users\user\AppData\Local\Temp\v2.exe	API coverage: 2.2 %

Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597873s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595713s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595151s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 6500	Thread sleep time: -594469s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\v2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_6BC9F1A0 GetSystemInfo,

3_2_6BC9F1A0

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597873	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595713	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595151	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594469	Jump to behavior

Source: v2.exe.2.dr	Binary or memory string: vmware, inc.
Source: v2.exe.2.dr	Binary or memory string: vmware7,1
Source: v2.exe.2.dr	Binary or memory string: vmware
Source: v2.exe, 00000003.00000002.1791800211.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(

Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe

API call chain: ExitProcess graph end node

graph_2-13

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_010879E8 LdrInitializeThunk,

3_2_010879E8

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_6BC043E3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6BC043E3

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_6BC28910 _memset,OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,_memset,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,_memset,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_memset,GetEnvironmentVariableW,OutputDebugStringA,_memset,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,_memset,GetEnvironmentVariableW,SetEnvironmentVariableW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_memset,__snprintf,OutputDebugStringA,

3_2_6BC28910

Source: C:\Users\user\AppData\Local\Temp\v2.exe

3_2_6BC0F76D

Source: C:\Users\user\AppData\Local\Temp\SharcHack.exe

Code function: 1_2_00401A38 GetProcessHeap,GetCurrentThreadId,

1_2_00401A38

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC043E3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6BC043E3
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 3_2_6BC01186 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6BC01186

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Memory allocated: page read and write | page guard

Yara detected Telegram Recon

Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\SharcHack.exe "C:\Users\user\AppData\Local\Temp\SharcHack.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe "C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process created: C:\Users\user\AppData\Local\Temp\v2.exe "C:\Users\user\AppData\Local\Temp\v2.exe"	Jump to behavior

Language, Device and Operating System Detection

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\v2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_6BC0A8D4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6BC0A8D4

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_6BC0545C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_6BC0545C

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected Ades Stealer

Stealing of Sensitive Information

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Nitro Stealer

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected VEGA Stealer

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: VegaStealer_v2.exe, 00000002.00000003.1708015105.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx_V
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusDir
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: [Org.BouncyCastle.Pkcs12.IgnoreUselessPasswordtrueqpassword supplied for keystore that does not require one

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Remote Access Functionality

Yara detected Ades Stealer

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Nitro Stealer

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected VEGA Stealer

Source: Yara match	File source: 3.0.v2.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 3_2_6BC29200 GetModuleHandleW,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_memset,__snprintf,OutputDebugStringA,

3_2_6BC29200

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	25 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	351 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SharcHack.exe	95%	ReversingLabs	Win32.Trojan.Dorv
SharcHack.exe	100%	Avira	DR/Delphi.Gen
SharcHack.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\SharcHack.exe	100%	Avira	DR/Delphi.Gen
C:\Users\user\AppData\Local\Temp\v2.exe	100%	Avira	HEUR/AGEN.1307418
C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	100%	Avira	HEUR/AGEN.1339346
C:\Users\user\AppData\Local\Temp\v2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EntityFramework.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\SharcHack.exe	89%	ReversingLabs	Win32.Trojan.Dorv
C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	100%	ReversingLabs	Win32.Hacktool.Vbinder
C:\Users\user\AppData\Local\Temp\v2.exe	83%	ReversingLabs	ByteCode-MSIL.Infostealer.Stealgen

Source	Detection	Scanner	Label
http://ip-api.commi	0%	Avira URL Cloud	safe
http://ocsp.digicert.c	0%	Avira URL Cloud	safe
http://ns.adobe.0/	0%	Avira URL Cloud	safe
http://go.microsof	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
http://go.microsoft	0%	Avira URL Cloud	safe
http://crl3.digicert.cPom/D	0%	Avira URL Cloud	safe
http://go.micr	0%	Avira URL Cloud	safe
https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125	0%	Avira URL Cloud	safe
http://cacerts.di	0%	Avira URL Cloud	safe
http://go.microso	0%	Avira URL Cloud	safe
http://crl3.digicert	0%	Avira URL Cloud	safe
http://ip-api.comd	0%	Avira URL Cloud	safe
http://crPl3.d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipbase.com	172.67.209.71	true	false	high
ip-api.com	208.95.112.1	true	false	high
freegeoip.app	104.21.73.97	true	false	high

Contacted URLs

Name	Malicious	Reputation
http://ip-api.com/json/?fields=61439	false	high
https://freegeoip.app/xml/	false	high
https://ipbase.com/xml/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmp91C9.tmp.tmpdb.3.dr	false		high
https://duckduckgo.com/ac/?q=	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
http://ip-api.commi	v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://freegeoip.app	v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.digicert.c	VegaStealer_v2.exe, 00000002.00000003.1698528738.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://system.data.sqlite.org/X	VegaStealer_v2.exe, 00000002.00000003.1701496803.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1798373548.00000000052A4000.00000002.00000001.01000000.0000000A.sdmp, System.Data.SQLite.dll.2.dr	false		high
https://www.newtonsoft.com/json	VegaStealer_v2.exe, 00000002.00000003.1698752807.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.2.dr	false		high
http://ip-api.com/json/?fields=61439d	v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1796779654.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, History.txt.3.dr, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	false		high
http://go.micros	VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.adobe.0/	v2.exe, 00000003.00000002.1801026072.0000000007751000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125	v2.exe, 00000003.00000002.1792575261.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2T	v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.microsof	VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?fieldsT	v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://go.micr	VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	v2.exe, 00000003.00000002.1796779654.0000000003B7B000.00000004.00000800.00020000.00000000.sdmp, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
http://ip-api.com	v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.vimeworld.ru/user/name/	v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.microsoft	VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sqlite.org/lang_corefunc.html	VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr	false		high
https://t.me/VegaStealer_bot	VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, v2.exe.2.dr, Information.txt.3.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	v2.exe, 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipbase.com	v2.exe, 00000003.00000002.1792575261.0000000002B79000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cacerts.di	VegaStealer_v2.exe, 00000002.00000003.1698528738.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl3.digicert.cPom/D	VegaStealer_v2.exe, 00000002.00000003.1691516115.0000000002D81000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1693877532.00000000031BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sqlite.org/lang_c	VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2T~R	v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/VegaStealer_bot-/sendDocument?chat_id=	VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe.2.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
http://go.microso	VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/ASOFTWARE	VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe.2.dr	false		high
http://crl3.digicert	VegaStealer_v2.exe, 00000002.00000003.1699963167.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sqlite.org/lang_aggfunc.html	VegaStealer_v2.exe, 00000002.00000003.1707696560.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1704508924.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.EF6.dll.2.dr, System.Data.SQLite.Linq.dll.2.dr	false		high
http://ip-api.comd	v2.exe, 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
http://go.microsoft.	VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1796779654.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, History.txt.3.dr, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	false		high
https://www.sqlite.org/copyright.html2	VegaStealer_v2.exe, 00000002.00000003.1692241734.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1694435387.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000002.1803093953.000000006BD4C000.00000002.00000001.01000000.0000000B.sdmp, SQLite.Interop.dll.2.dr	false		high
http://crPl3.d	VegaStealer_v2.exe, 00000002.00000003.1691516115.0000000002D81000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1693877532.00000000031BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp91C9.tmp.tmpdb.3.dr	false		high
http://james.newtonking.com/projects/json	Newtonsoft.Json.dll.2.dr	false		high
https://freegeoip.app/xml/9https://api.telegram.org/botGhttps://api.vimeworld.ru/user/name/1--------	VegaStealer_v2.exe, 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, v2.exe.2.dr	false		high
https://ac.ecosia.org/autocomplete?q=	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
http://go.micro	VegaStealer_v2.exe, 00000002.00000003.1696578468.00000000031BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.sqlite.org/lang	VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	Newtonsoft.Json.dll.2.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id	v2.exe, 00000003.00000002.1792575261.0000000002D38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	v2.exe, v2.exe, 00000003.00000002.1799619279.0000000006032000.00000002.00000001.01000000.00000009.sdmp, Newtonsoft.Json.dll.2.dr	false		high
https://support.mozilla.org	tmp91C9.tmp.tmpdb.3.dr	false		high
https://urn.to/r/sds_see	System.Data.SQLite.dll.2.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	v2.exe, 00000003.00000002.1796779654.0000000003B7B000.00000004.00000800.00020000.00000000.sdmp, tmp9158.tmp.dat.3.dr, tmp9188.tmp.dat.3.dr	false		high
https://system.data.sqlite.org/	System.Data.SQLite.dll.2.dr	false		high
https://github.com/novotnyllc/bc-csharp	VegaStealer_v2.exe, 00000002.00000003.1695952349.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, BouncyCastle.Crypto.dll.2.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	v2.exe, 00000003.00000002.1796779654.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, tmp91C8.tmp.dat.3.dr, tmp908A.tmp.dat.3.dr	false		high
http://crl3.d	VegaStealer_v2.exe, 00000002.00000003.1706844726.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000002.00000003.1701954692.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
172.67.209.71	ipbase.com	United States	13335	CLOUDFLARENETUS	false
104.21.73.97	freegeoip.app	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581501
Start date and time:	2024-12-27 22:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SharcHack.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/43@3/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 82% Number of executed functions: 47 Number of non-executed functions: 224
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target SharcHack.exe, PID 2144 because there are no executed function
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SharcHack.exe

Simulations

Behavior and APIs

Time	Type	Description
16:47:04	API Interceptor	53x Sleep call for process: v2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	Client-built.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	ip-api.com/json/?fields=225545
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	ip-api.com/json/8.46.123.189?fields=192511
	main.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189?fields=192511
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
172.67.209.71	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse
	dudick SystemDesk Important Crediential Notification 1.eml	Get hash	malicious	HTMLPhisher	Browse
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse
	SecuriteInfo.com.FileRepMalware.dll	Get hash	malicious	Unknown	Browse
	case (426).xls	Get hash	malicious	Unknown	Browse
	case (61).xls	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipbase.com	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	104.21.85.189
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	104.21.85.189
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	104.21.85.189
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	172.67.209.71
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.209.71
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.85.189
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.209.71
	64drop.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.85.189
	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.85.189
	123.scr.exe	Get hash	malicious	Rags Stealer	Browse	172.67.209.71
ip-api.com	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	Client-built.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	fvbhdyuJYi.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
freegeoip.app	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	188.114.97.3
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	188.114.96.3
	Insidious_protected.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.96.3
	nyen2eabmfb.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	Cheat.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	188.114.97.3
	B5U2ccQ8H1.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	188.114.97.3
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	188.114.96.3
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.73.97

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	http://au.kirmalk.com/watch.php?vid=7750fd3c8	Get hash	malicious	Unknown	Browse	162.252.214.4
	Client-built.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
CLOUDFLARENETUS	NewSetup.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.60.24
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	launcher.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114
	http://proxyium.com	Get hash	malicious	Unknown	Browse	104.21.80.92
CLOUDFLARENETUS	NewSetup.exe	Get hash	malicious	LummaC	Browse	172.67.157.249
	ForcesLangi.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.60.24
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	launcher.exe	Get hash	malicious	LummaC	Browse	104.21.58.80
	Leside-.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.2.114
	http://proxyium.com	Get hash	malicious	Unknown	Browse	104.21.80.92

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	iviewers.dll	Get hash	malicious	LummaC	Browse	172.67.209.71 104.21.73.97
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	172.67.209.71 104.21.73.97
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	172.67.209.71 104.21.73.97
	TCKxnQ5CPn.exe	Get hash	malicious	Unknown	Browse	172.67.209.71 104.21.73.97
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.209.71 104.21.73.97
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	172.67.209.71 104.21.73.97
	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	172.67.209.71 104.21.73.97
	vreFmptfUu.lnk	Get hash	malicious	DanaBot	Browse	172.67.209.71 104.21.73.97
	skript.bat	Get hash	malicious	Vidar	Browse	172.67.209.71 104.21.73.97
	msgde.exe	Get hash	malicious	Quasar	Browse	172.67.209.71 104.21.73.97

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll	psol.txt.ps1	Get hash	malicious	LummaC	Browse
	evhopi.ps1	Get hash	malicious	LummaC	Browse
	PixpFUv4G7.exe	Get hash	malicious	Quasar, XWorm	Browse
	PVUfopbGfc.exe	Get hash	malicious	Unknown	Browse
	OqAVRCkQ3T.exe	Get hash	malicious	Unknown	Browse
	PVUfopbGfc.exe	Get hash	malicious	LummaC	Browse
	OqAVRCkQ3T.exe	Get hash	malicious	LummaC	Browse
	mapMd1URzq.exe	Get hash	malicious	Unknown	Browse
	mnFHs2DuKg.exe	Get hash	malicious	Unknown	Browse
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\v2.exe.log

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2589
Entropy (8bit):	5.347411404509576
Encrypted:	false
SSDEEP:	48:MxHKXAHKze41qHiYHKh3oPtHo6+JHOHKU57UxHKMR0mHKtXoCayH5H/HKMHsLHmY:iqQqzfwCYqh3oPtI6IuqU57UxqMRnqNq
MD5:	696C6189688136406D72A0798AF5224F
SHA1:	6826DD4A2B09E5782E8A6B5AF6BEADF218CA616E
SHA-256:	484E1D3A551A6570FB7861010591CB48E36F1F81625879622AA8E12BAC367639
SHA-512:	17FE4A4C421A997265541E05E77FF4D7F5BFE6007D41A2293B3C62A0079CEDD0BCB346EDC6038A41F43DFE4D86493CE52EFBA34F92CF173D422809A9948BD746
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyT

C:\Users\user\AppData\Local\Temp\1a476fd9-290d-4458-a6ca-4fc425eee287

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2ebe49af-d240-4fda-ba65-7943a7c6bb52

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3316968
Entropy (8bit):	6.532906510598102
Encrypted:	false
SSDEEP:	49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
MD5:	0CF454B6ED4D9E46BC40306421E4B800
SHA1:	9611AA929D35CBD86B87E40B628F60D5177D2411
SHA-256:	E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
SHA-512:	85262F1BC67A89911640F59A759B476B30CA644BD1A1D9CD3213CC8AAE16D7CC6EA689815F19B146DB1D26F7A75772CEB48E71E27940E3686A83EB2CF7E46048
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: psol.txt.ps1, Detection: malicious, Browse Filename: evhopi.ps1, Detection: malicious, Browse Filename: PixpFUv4G7.exe, Detection: malicious, Browse Filename: PVUfopbGfc.exe, Detection: malicious, Browse Filename: OqAVRCkQ3T.exe, Detection: malicious, Browse Filename: PVUfopbGfc.exe, Detection: malicious, Browse Filename: OqAVRCkQ3T.exe, Detection: malicious, Browse Filename: mapMd1URzq.exe, Detection: malicious, Browse Filename: mnFHs2DuKg.exe, Detection: malicious, Browse Filename: External.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....6Q3...@.................................G&1.O.....2..............\|2.. ....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s..........~....-(....o....o....o.........~....-.~.........~......( ......0..G.......(!....o"....s.1....s,..%..(.... ....o.....o 0...Zo....t....o8(..(......0..$..........(.....(....o.....(!.......io#...z...(....(!....o"...o....(......0............T....r...p.(O....o$....(......0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox.....( ...*V.(&.....}......}..

C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	586632
Entropy (8bit):	6.059056255747647
Encrypted:	false
SSDEEP:	6144:Pbfapjp4pWVWvFdpxhGOdBB6OHK1ivk4PQG2puGeqVmjaVmnS4bfu65B:P7usAOvphbu65
MD5:	F32CE9A5A866313D1A3391AA42153F4A
SHA1:	7404383A681A2EC1C5BF24152FA298E934F53783
SHA-256:	4583F9D1E62C90E3BC41D9FEACCA8152E3BB067B767E806872772EA9A55803E9
SHA-512:	A276ED47E0687699E844DFB8215B4EF922EB6B853D7CA4BBF707B4439C26F8AFC6886F00AF0B3BA76E2DD322A0870594D81BCDC2095656A2E5B78568DC5F3F51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... .......................@......k$....`.....................................O.......t................#... ..........T............................................ ............... ..H............text...X.... ...................... ..`.rsrc...t...........................@..@.reloc....... ......................@..B........................H............................]..l.........................................{,.....{-...V.(......},.....}-......0..;........u......,/(/....{,....{,...o0...,.(1....{-....{-...o2..... #'p )UU.Z(/....{,...o3...X )UU.Z(1....{-...o4...X.0..X........r...p......%..{,............-.&.+.......o5....%..{-............-.&.+.......o5....(6...V.(7.....(......(......{...."..}......{...."..}....:.(......}......J.......s8...(...+J.......s9...(...+*........s:...(...+%-.&.......s:.

C:\Users\user\AppData\Local\Temp\EntityFramework.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4773480
Entropy (8bit):	6.084582408535823
Encrypted:	false
SSDEEP:	49152:Ifl9Yy1hblT0KVDuv06QBhBiMyHBzwFRdH:IkutRVDuv06QbBisF
MD5:	00D48A062EF3DFFBA05159D019CF427D
SHA1:	4BA6DB0470C776423D73438894207B1D6F1E7B5D
SHA-256:	7E60999A5741B9B041D3A8D9BAD1C952E4CCE8216142327AB413B1DDCA70A4C5
SHA-512:	14B4F20F87B72C8BB0F129FDFA1B865DBC63E49B6FF763D29516AD7B235288FB959BD35609BAA3FD80E07BE4FBEB120EAAE475B7628A85D6CBC0110A442D39CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y]............" ..0...H........../H.. ....H...... ....................... I......AI...`...................................H.O.....H.$.............H.h$....I......-H.T............................................ ............... ..H............text.....H.. ....H................. ..`.rsrc...$.....H.......H.............@..@.reloc........I.......H.............@..B..................H.....H.............'.........d.>.....\-H.......................................{".....{#...V.($.....}".....}#......0..;........u......,/(%....{"....{"...o&...,.('....{#....{#...o(..... dL.. )UU.Z(%....{"...o)...X )UU.Z('....{#...o...X.0..X........r...p......%..{"............-.&.+.......o+....%..{#........w...-.&.+...w...o+....(,.....{-.....{....V.($.....}-.....}.......0..;........u......,/(%....{-....{-...o&...,.('....{.....{....o(....*. ...z )UU.Z(%....{-...o)...X )UU

C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	584976
Entropy (8bit):	5.91011541005501
Encrypted:	false
SSDEEP:	6144:1cHfLcN/a4L/uhxq9UVFYHjL3VMsWn1s6QjRhF9gauyBuntfV+jPuxJk:1cTcVa4Lwxqc4jL3VKQjRhFjBDjPuxJk
MD5:	169B6D383B7C650AB3AE2129397A6CF3
SHA1:	FCAEF7DEFB04301FD55FB1421BB15EF96D7040D6
SHA-256:	B896083FEB2BDEDC1568B62805DBD354C55E57F2D2469A52AEC6C98F4EC2DEDF
SHA-512:	7A7A7BDB508B8BF177249251C83B65A2EF4A5D8B29397CAB130CB8444B23888678673A9A2E4B1C74CC095B358F923B9E7E5A91BFA8C240412D95765851F1DD87
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ......$.....@.....................................O......................../..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........o...`..................x.........................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..\|....(......._..{........+,..{e....3...{d......(....,...{d.....{f.......-.....0...........-.r...ps....z.o......-.~.....~....

C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1402032
Entropy (8bit):	6.88401160982436
Encrypted:	false
SSDEEP:	24576:dMDaUv84L2G9qOzAMmMt9MXakDg+XoP2STgVUrrKfw/Rhngqno:dfW9GMvMX9onGAXno
MD5:	0A1E95B0B1535203A1B8479DFF2C03FF
SHA1:	20C4B4406E8A3B1B35CA739ED59AA07BA867043D
SHA-256:	788D748B4D35DFD091626529457D91E9EBC8225746211086B14FB4A25785A51E
SHA-512:	854ABCCA8D807A98A9AD0CA5D2E55716C3CE26FAE7EE4642796BAF415C3CFAD522B658963EAFE504ECAED6C2ECDCDF332C9B01E43DFA342FCC5CA0FBEDFE600E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........KA...A...A...Z/m.a...Z/X.}...Z/l....H.U.I..._.U.B...A......Z/h.@...Z/].@...Z/\.@...Z/[.@...RichA...................PE..L...6.c...........!.........:.......4.......................................`......7.....@..........................#..:...t...x........................T..........p...............................@...@...............(............................text............................... ..`.rdata..*M.......N..................@..@.data....t...@...T...$..............@....rsrc................x..............@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SharcHack.exe

Process:	C:\Users\user\Desktop\SharcHack.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	77312
Entropy (8bit):	3.8569023886730482
Encrypted:	false
SSDEEP:	384:wBefgxUEnXa78sc0xmBhUoEZpJf9DYPWhg/hAOdSKfzQ0OPb+xskPjgQH/5xupjL:wBKny4eb2NR
MD5:	0589483666F8F55DE5CD74FDC3D1B4AE
SHA1:	03F9C06C7741A992A3F3E334D582AEB8E915EB8B
SHA-256:	E57998B685106E65EF6F913F8ACEA22BC8BBBAD8FB299D696766FF09F294E226
SHA-512:	D3F7D67970A541290127CE1F9894803558F69DC22DD412CDE1F2C4515C34E8F39C54394F74E2B5DC7783398D97935A5AD9422CC4D314A341EDE713A28BB6F811
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................. .......0....@..............................................@...........................P...............................................................p......................................................CODE................................ ..`DATA....\|....0......................@...BSS..........@...........................idata.......P......................@....tls.........`...........................rdata.......p......................@..P.reloc............... ..............@..P.rsrc................"..............@..P.....................$..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	208560
Entropy (8bit):	6.124592164027391
Encrypted:	false
SSDEEP:	3072:wP46KP8cdA0TEocO+zaZ9W3+wLLexyLKHxLj:k46KP8c+0Qs
MD5:	162E50541954D792420156956B09D410
SHA1:	F10943992EAD2DD222DF7CCFC76D74D495EF086D
SHA-256:	20D7E37FEDCE140669E2A2D89F4E7A67405134CA1876A55F9CF9AB0EAE8F206E
SHA-512:	A86167344C9645387B6B0C95AB19F2ADFEE5573AB2C6068E38E3DE0B94990379A948F0E10214B6F7DCF1F5E3159032217113267B8A7B4365F19BA970A8A51BF9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .c...........!..................... ........... .......................@......<.....@.................................l...O........................T... ......4................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H......../..................n...P .........................................pf.P.Y@.....D.8.Y..s.1.z#..../.....`.ZpW..45....F..W.K.(......... r24..6.5.....\.......5.9_e.eX..X......6.m.rp.M.'...(.....0..3.......~.....(...., r...p.....(....o....s...........~.....~...........V(....r=..p~....o....V(....ri..p~....o.......0..6.......~....s.........o.........r...ps......r...po....&.o ...o!....o"....o#...&...r...po....&.o$...o%.....+D..o&...t......,...+..r...po....&.o'

C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	208568
Entropy (8bit):	6.1218954888666905
Encrypted:	false
SSDEEP:	1536:7yuS8cGzz6KP8cp1x+PAaDOEzxOkqabge94h0Ero7v6PxlcU7vtPCjRTZPxB:7PX6KP8cp1kYcOnnaZ9W3roLGxPL2Xx
MD5:	355BBEA5EE15D806E0D6BD6DBD25F494
SHA1:	B41EBF0FF5C4EFFA1FD123845EFE03764E91341E
SHA-256:	8E2AE9D4A03E95C714D7835310795B7E0434B8AA3448E6A5B106AD9DBBA0158F
SHA-512:	AD453A26A22EFB522126208A1E7EBEE6EC429FDE52F4A3D30212EF9F58E39714FD7F42D05031BF31992199AEA573F9F1887DC83ED30093527D3E8B33476A4387
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c...........!................>.... ........... .......................@......C8....@.....................................W........................T... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H......../..................n...P ......................................[...HD..0iU.....h..Y#...D.m..Ze...W.fj....~..9>..u.Q=...5P.9sw....~...Cg......c..X.....~..}....:@Gk...M..i,...`R....Z[-q.}.M..(.....0..3.......~.....(...., r...p.....(....o....s...........~.....~...........V(....r=..p~....o....V(....ri..p~....o.......0..6.......~....s.........o.........r...ps......r...po....&.o ...o!....o"....o#...&...r...po....&.o$...o%.....+D..o&...t......,...+..r...po....&.o'

C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	420528
Entropy (8bit):	6.162571798892841
Encrypted:	false
SSDEEP:	12288:OPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1v:g6hetBJm333M8EGAB
MD5:	056D3FCAF3B1D32FF25F513621E2A372
SHA1:	851740BCA46BAB71D0B1D47E47F3EB8358CBEE03
SHA-256:	66B64362664030BFF1596CDA2EC5BD5DF48CC7C8313C32F771DB4AA30A3F86F9
SHA-512:	CE47C581538F48A46D70279A62C702195BEACBFAFB48A5A862B3922625FE56F6887D1679C6D9366F946D3D2124CB31C2A3EACBBD14D601EA56E66575CDF46180
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c...........!.................+... ...@....... ...................................@.................................d+..W....@..p................T...`......,............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H............M..........PM..J...P .......................................e...y....M.Yh~..Pb...q.q...+t.T.d.........v..Fq...:....unR.a5..Y.>...d.:.....Kuq.U9...d...K..d....K..E.$uh...a....1...w.:.(......}......{....:.(......}......{....r.(......}......}......}......0..5........-..~.....o.....X...v....~.......o......o .........6..(....(...."..(.....0..T........~!...("...-..-.~#...../....+...X....($...-..-.~#.....v........(%...~.......o&...Z.~....2..~.........

C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe

Process:	C:\Users\user\Desktop\SharcHack.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8068096
Entropy (8bit):	7.905088140781816
Encrypted:	false
SSDEEP:	98304:Rgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0Q:H/wld79ht+j1M0mWZsE6+YASy10Q
MD5:	9F4F298BCF1D208BD3CE3907CFB28480
SHA1:	05C1CFDE951306F8C6E9D484D3D88698C4419C62
SHA-256:	BF7057293D871CAC087DAAB42DAF22C1737A1DF6ADC7B7963989658F3B65F4CC
SHA-512:	4C763C3B6D4884F77083DB5CCADA59BC57803B3226294EFF2EC3DB8F2121AC01EE240B0E822CB090F5320CE40DF545B477E323EFABDBCA31722731ADC4B46806
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q......................{.............. ....@...........................\|.............................................. ..P.......d.z.......................................................................... ...............................text...&........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...d.z.......z.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ff80c68a-299b-46e8-9325-f226d3c073b1

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ff80c68a-299b-46e8-9325-f226d3c073b1-shm

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp908A.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp908B.tmp.tmpdb

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9147.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9158.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9188.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9199.tmp.tmpdb

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp91C8.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp91C9.tmp.tmpdb

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9238.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9268.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9288.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp92A8.tmp.dat

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\v2.exe

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	278016
Entropy (8bit):	5.887323139606271
Encrypted:	false
SSDEEP:	6144:qmYKJMVRp9hnmy0UYU9B93YUnLbB62X3Rb36h3YQ:ZJ0Rp9hzL82ghIQ
MD5:	3F62213D184B639A0A62BCB1E65370A8
SHA1:	BBF50B3C683550684CDB345D348E98FBE2FCAFE0
SHA-256:	C692DFC29E70A17CABC19561E8E2662E1FE32FDBA998A09FE1A8DC2B7E045B34
SHA-512:	0CD40D714E6A6EBD60CC0C8B0E339905A5F1198A474A531B1794FB562F27053F118718CC68B9652FEF3411906F9D8AD22D0253AF256FA1922133E9907298E803
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: infostealer_win_lighting, Description: Detect the Lighting infostealer based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tq................0..4..........J,... ...`....@.. ....................................`..................................+..O....`...............................+............................................... ............... ..H............text...@2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................,,......H...........D6..........$+................................................(%.....(%....0..........s....o....t....o&....8......('....r...p......%..o.....%..o.....%..o..........%..o.....%..o.....((....~....rC..p()....(.....&~....r...p()....(.....~.....X.......(+...:n.............o.......&r...p(,......(....e..\|...............................0..........s(...o-...t....o-....8......(.....r...p......%..o.....%..o.....%..o..........%..o.....%..o.....((....~....r...p()....(.....

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Browsers\Firefox\Bookmarks.txt

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Browsers\Firefox\History.txt

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Browsers\Google\Cookies_Chrome.txt

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (522), with CRLF line terminators
Category:	dropped
Size (bytes):	3355
Entropy (8bit):	5.859711514959835
Encrypted:	false
SSDEEP:	96:jJMsoO2gicRq6Zi2L+ySstv3pP+YRBynqsCHw4R2cksQ:NiCRtpKQdA
MD5:	E7FE9C45ABECAFAD2E0254DC692B506D
SHA1:	74028143ACD8925C5A5702C457018B99FBBCC939
SHA-256:	015E4099C0D99A9AC9A9FBF362D26D4F049BA5EAA24D19EFA48E674DD28DD658
SHA-512:	B8875F3039E84088C1A758D75DF84862A3EF08462D044EB752E72F25AF109E1074292183449C3024B58E2745F61BC3138CBEBFB33984DD7164916F2577A7A826
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.FALSE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./signin-oidc.FALSE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./signin-oidc.FALSE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.FALSE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Browsers\Google\History.txt

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\DVWHKMNFNN.png

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\KATAXZVCPS.pdf

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\KZWFNRXYKI.png

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\LTKMYBSEYZ.pdf

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\UMMBDNEQBN\KZWFNRXYKI.png

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\UMMBDNEQBN\LTKMYBSEYZ.pdf

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\VLZDGUKUTZ\DVWHKMNFNN.png

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Files\VLZDGUKUTZ\KATAXZVCPS.pdf

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Information.txt

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1525
Entropy (8bit):	4.505272794468738
Encrypted:	false
SSDEEP:	24:gMMNoEMshMp11IATMphEQQ6pgzayohCowpwl0/Nd+/fvzVa7V57N8a4:gMMOEMshMp11IATMphEQlpkayohCo6JS
MD5:	48226C6FDE33F327A027103A1637F216
SHA1:	A69667AB2D07AE69CD5C6D3A1EED3A3286EC8F5D
SHA-256:	B637C993360FD66C5B025502751084B7BAECA6CDAB31068613A6B3F8D577A3BD
SHA-512:	145C709F38115A1BD93BC725156F3777054A94093FFD0027580A42F8BDE167D311CAE63026A998C7D1143A03CCF8EFFD5973AAB30E0B8E4ACCA4A65E465AD680
Malicious:	false
Preview:	. *******************************************. .................................. . .................................. . .................................. . .................................. . .................................. . .................................. . https://t.me/VegaStealer_bot . . ******************************************* ==================================================. Operating system: Windows 10 Pro (64 Bit). PC user: 210395/user. Cl

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Process.txt

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3717
Entropy (8bit):	4.778175322669897
Encrypted:	false
SSDEEP:	24:X//YM/x/85w//HI/q/uXsVE/qqIp///QUq/pIqqq/q//q//q/QUpPtr/x/jq/q/3:UuGxNut8zDMVDR1R
MD5:	BEDC261FC01C4E08296EF04CB6E6616C
SHA1:	DAFB9B7889F90871CFED8BA04513AFA6DE728ADA
SHA-256:	6A52A1E7AB0CCCEEAE20DD159A509AE592FDD8A716B91DCCD1B5A68BE0F09F64
SHA-512:	FECE839AA3542D05BF80272FAD21AACAAE7D7897D876FCB9B6AA059D9AA28F5F8395C57CC4E521414DF0EFFFFE8AA32EBE65F32C37CF0C707C2D3C7074DF5D6B
Malicious:	false
Preview:	NAME: svchost..NAME: PfHgqIKRtxbXPHPm..NAME: PfHgqIKRtxbXPHPm..NAME: explorer..NAME: PfHgqIKRtxbXPHPm..NAME: fontdrvhost..NAME: PfHgqIKRtxbXPHPm..NAME: smartscreen..NAME: PfHgqIKRtxbXPHPm..NAME: PfHgqIKRtxbXPHPm..NAME: csrss..NAME: PfHgqIKRtxbXPHPm..NAME: svchost..NAME: PfHgqIKRtxbXPHPm..NAME: sihost..NAME: dllhost..NAME: OfficeClickToRun..NAME: PfHgqIKRtxbXPHPm..NAME: svchost..NAME: svchost..NAME: dasHost..NAME: ctfmon..NAME: PfHgqIKRtxbXPHPm..NAME: PfHgqIKRtxbXPHPm..NAME: PfHgqIKRtxbXPHPm..NAME: RuntimeBroker..NAME: svchost..NAME: PfHgqIKRtxbXPHPm..NAME: WinStore.App..NAME: svchost..NAME: svchost..NAME: svchost..NAME: PfHgqIKRtxbXPHPm..NAME: svchost..NAME: PfHgqIKRtxbXPHPm..NAME: PfHgqIKRtxbXPHPm..NAME: svchost..NAME: PfHgqIKRtxbXPHPm..NAME: PfHgqIKRtxbXPHPm..NAME: svchost..NAME: PfHgqIKRtxbXPHPm..NAME: RuntimeBroker..NAME: StartMenuExperienceHost..NAME: backgroundTaskHost..NAME: PfHgqIKRtxbXPHPm..NAME: fontdrvhost..NAME: PfHgqIKRtxbXPHPm..NAME: TextInputHost..NAME: svchost..NAME: Pf

C:\Users\user\AppData\Roaming\RHXHZFFNPuyLPR210395.user\Screen.png

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	673243
Entropy (8bit):	7.9233873077235435
Encrypted:	false
SSDEEP:	12288:KVeAAvjLRdLVHg/7wrGWfpIQnpbEy1BgkGX8APGN7vm6A2VW+JIgs:mv83RdLVHY7y3f6QnKywkSeNTA2VW+Js
MD5:	DE5B4784FB2CBCB7959F8FC703896606
SHA1:	3F955A87E16A308ACD9B9653931690E35ACBA35A
SHA-256:	BB2959E455B14CFDC869CB640B92E73704821A89F0075DD282C995DD27A77325
SHA-512:	FB831A6052ACE74F7E821746EBEC46B39085FAC938A9B950622DE91741AA52A90BD0DD648DDAB7B4E2D237952A50EF4E397307D768B24D021D8BBE7FB1E0B447
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....G....y....;.5.....U.=3...o.Q..y.$. <T.].AB./...$......G.".t.H.. &.....#..2w.#..Z...."..<.B.Y_...s..i.<>....s..Q......I.......Y0./.O.....>.h?.oBf*..{M..8.9f....I..>\`..4.......\|..E1..'..8\|.J....b.....t....a.c..{..#.9.G....s.M..G...../...i.Y$...(f......;.J......{n_4.w..2.....n.G....e..".......`.m......y.M......?...7-....l(..3.{C.7.....7.E.}..-.........^?.........z..}.[....u...k..~m;.Z.z.y.5s...._3..;..J..^.V....1...3/....\|......X...k...zE.$s..i....9.=39?{H....xf.K.Y...../+h=s..ml.K.N...g.\|i.}.%..bU...[y.e%........r.0..{..if.KRw..Sg.......cZ...W.tyZ.kV.q%.\...<..}a....t.Y_F....c.!.+..8../...zv...{}...ml......s..k.W..........2......f.:?u.<..5../.V.;{.[.V..b......H.......?...(....3..{>s.....\.{...9..\|f.s........3.0..........]...\|n...2_.[...b...n.c.+w....t.{.W...s;..y.z.N.n.....s...q.@n.n.w.c^.....Y....%.Z}..EN..3V.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.901370777884292
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SharcHack.exe
File size:	8'223'744 bytes
MD5:	7b83ec8b52b0960227678156e29c1104
SHA1:	f900ddff272431c281b76132fb110cb4120f68a3
SHA256:	1b98a1d62cb0348ca334d047f4167f8bacd8de51829284a9be50e72d010e1cb8
SHA512:	f79e951e71747b80d7dea383e4b44fcd4d1064b1d3a8ab93a5e9b9274cc9c88e8ece9856f630d9725991e886cb5df245d11f51ebbba26328e6589e293e0665d6
SSDEEP:	98304:Cgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0K:4/wld79ht+j1M0mWZsE6+YASy10K
TLSH:	A886333F8AEF4AE1CC401FBFC8A6973D0C46A5B6AF518E4A95EA03C54D53F0E8E19514
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	696ce8f0d2d44c6d

Static PE Info

General

Entrypoint:	0x4020cc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d59a4a699610169663a929d37c90be43

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 0000000Ch
push 00000000h
push 00000000h
dec ecx
jne 00007FE1E082A98Bh
push ecx
push ebx
push esi
push edi
mov eax, 0040209Ch
call 00007FE1E082A400h
xor eax, eax
push ebp
push 00402361h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
lea edx, dword ptr [ebp-14h]
mov eax, 00402378h
call 00007FE1E082A7D9h
mov eax, dword ptr [ebp-14h]
call 00007FE1E082A8A9h
mov edi, eax
test edi, edi
jng 00007FE1E082ABC6h
mov ebx, 00000001h
lea edx, dword ptr [ebp-20h]
mov eax, ebx
call 00007FE1E082A868h
mov ecx, dword ptr [ebp-20h]
lea eax, dword ptr [ebp-1Ch]
mov edx, 00402384h
call 00007FE1E0829FF8h
mov eax, dword ptr [ebp-1Ch]
lea edx, dword ptr [ebp-18h]
call 00007FE1E082A79Dh
mov edx, dword ptr [ebp-18h]
mov eax, 00404680h
call 00007FE1E0829ED0h
lea edx, dword ptr [ebp-2Ch]
mov eax, ebx
call 00007FE1E082A836h
mov ecx, dword ptr [ebp-2Ch]
lea eax, dword ptr [ebp-28h]
mov edx, 00402390h
call 00007FE1E0829FC6h
mov eax, dword ptr [ebp-28h]
lea edx, dword ptr [ebp-24h]
call 00007FE1E082A76Bh
mov edx, dword ptr [ebp-24h]
mov eax, 00404684h
call 00007FE1E0829E9Eh
lea edx, dword ptr [ebp-38h]
mov eax, ebx
call 00007FE1E082A804h
mov ecx, dword ptr [ebp-38h]
lea eax, dword ptr [ebp-34h]
mov edx, 0040239Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5000	0x302	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x7d5824	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x1c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x13b8	0x1400	e5913936857bed3b3b2fbac53e973471	False	0.6318359375	data	6.340990548290613	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x3000	0x7c	0x200	cef89de607e490725490a3cd679af6bb	False	0.162109375	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4230400	1.1176271682252383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x4000	0x695	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5000	0x302	0x400	3d2f2fc4e279cba623217ec9de264c4f	False	0.3876953125	data	3.47731642923935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7000	0x18	0x200	467f29e48f3451df774e13adae5aafc2	False	0.05078125	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x1c8	0x200	9859d413c7408cb699cca05d648c2502	False	0.876953125	data	5.7832974211095225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x7d5824	0x7d5a00	a3364f0e42f8b3b3d39eac33039c6ae9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x92e8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.07745770732284396
RT_RCDATA	0x19b10	0x12e00	PE32 executable (GUI) Intel 80386, for MS Windows	0.13545115894039736
RT_RCDATA	0x2c910	0x7b1c00	PE32 executable (GUI) Intel 80386, for MS Windows	0.9835062026977539
RT_RCDATA	0x7de510	0xd	ASCII text, with no line terminators	1.6153846153846154
RT_RCDATA	0x7de520	0x12	ASCII text, with no line terminators	1.4444444444444444
RT_RCDATA	0x7de534	0x1	very short file (no magic)	9.0
RT_RCDATA	0x7de538	0x1	very short file (no magic)	9.0
RT_RCDATA	0x7de53c	0x1	very short file (no magic)	9.0
RT_RCDATA	0x7de540	0x1	very short file (no magic)	9.0
RT_RCDATA	0x7de544	0x1	very short file (no magic)	9.0
RT_GROUP_ICON	0x7de548	0x14	data	1.15
RT_VERSION	0x7de55c	0x2c8	data	0.46769662921348315

Imports

DLL	Import
kernel32.dll	GetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
kernel32.dll	WriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
shfolder.dll	SHGetFolderPathA
shell32.dll	ShellExecuteA

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 22:47:03.491547108 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:03.491599083 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:03.491666079 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:03.518902063 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:03.518923044 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:04.783628941 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:04.783837080 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:04.787738085 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:04.787745953 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:04.788086891 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:04.837717056 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:04.879364967 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:05.228298903 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:05.228351116 CET	443	49730	104.21.73.97	192.168.2.4
Dec 27, 2024 22:47:05.228404045 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:05.237097979 CET	49730	443	192.168.2.4	104.21.73.97
Dec 27, 2024 22:47:05.423538923 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:05.423567057 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:05.423630953 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:05.424065113 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:05.424076080 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:06.743319035 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:06.743714094 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:06.746438026 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:06.746448040 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:06.746649027 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:06.748055935 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:06.791362047 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:07.330012083 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:07.330048084 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:07.330080986 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:07.330094099 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:07.330106020 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:07.330153942 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:07.330158949 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:07.330178022 CET	443	49731	172.67.209.71	192.168.2.4
Dec 27, 2024 22:47:07.330229998 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:07.339271069 CET	49731	443	192.168.2.4	172.67.209.71
Dec 27, 2024 22:47:08.014231920 CET	49732	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:08.133940935 CET	80	49732	208.95.112.1	192.168.2.4
Dec 27, 2024 22:47:08.134028912 CET	49732	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:08.134210110 CET	49732	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:08.253690958 CET	80	49732	208.95.112.1	192.168.2.4
Dec 27, 2024 22:47:09.257694960 CET	80	49732	208.95.112.1	192.168.2.4
Dec 27, 2024 22:47:09.311516047 CET	49732	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:09.615705967 CET	49732	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:09.621220112 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:09.735627890 CET	80	49732	208.95.112.1	192.168.2.4
Dec 27, 2024 22:47:09.735729933 CET	49732	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:09.740712881 CET	80	49733	208.95.112.1	192.168.2.4
Dec 27, 2024 22:47:09.740801096 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:09.740969896 CET	49733	80	192.168.2.4	208.95.112.1
Dec 27, 2024 22:47:09.860533953 CET	80	49733	208.95.112.1	192.168.2.4
Dec 27, 2024 22:47:10.983927011 CET	80	49733	208.95.112.1	192.168.2.4
Dec 27, 2024 22:47:11.011126041 CET	49733	80	192.168.2.4	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 22:47:03.101892948 CET	65436	53	192.168.2.4	1.1.1.1
Dec 27, 2024 22:47:03.479093075 CET	53	65436	1.1.1.1	192.168.2.4
Dec 27, 2024 22:47:05.273088932 CET	57279	53	192.168.2.4	1.1.1.1
Dec 27, 2024 22:47:05.422729969 CET	53	57279	1.1.1.1	192.168.2.4
Dec 27, 2024 22:47:07.875478029 CET	62082	53	192.168.2.4	1.1.1.1
Dec 27, 2024 22:47:08.013138056 CET	53	62082	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 22:47:03.101892948 CET	192.168.2.4	1.1.1.1	0xbc39	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:47:05.273088932 CET	192.168.2.4	1.1.1.1	0xbf69	Standard query (0)	ipbase.com	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:47:07.875478029 CET	192.168.2.4	1.1.1.1	0x987e	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 22:47:03.479093075 CET	1.1.1.1	192.168.2.4	0xbc39	No error (0)	freegeoip.app	104.21.73.97	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:47:03.479093075 CET	1.1.1.1	192.168.2.4	0xbc39	No error (0)	freegeoip.app	172.67.160.84	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:47:05.422729969 CET	1.1.1.1	192.168.2.4	0xbf69	No error (0)	ipbase.com	172.67.209.71	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:47:05.422729969 CET	1.1.1.1	192.168.2.4	0xbf69	No error (0)	ipbase.com	104.21.85.189	A (IP address)	IN (0x0001)	false
Dec 27, 2024 22:47:08.013138056 CET	1.1.1.1	192.168.2.4	0x987e	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

freegeoip.app

ipbase.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	208.95.112.1	80	2172	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 22:47:08.134210110 CET	78	OUT	GET /json/?fields=61439 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 27, 2024 22:47:09.257694960 CET	483	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:47:08 GMT Content-Type: application/json; charset=utf-8 Content-Length: 306 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	208.95.112.1	80	2172	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 22:47:09.740969896 CET	78	OUT	GET /json/?fields=61439 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 27, 2024 22:47:10.983927011 CET	483	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 21:47:10 GMT Content-Type: application/json; charset=utf-8 Content-Length: 306 Access-Control-Allow-Origin: * X-Ttl: 58 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.73.97	443	2172	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:47:04 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-12-27 21:47:05 UTC	852	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 27 Dec 2024 21:47:05 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 27 Dec 2024 22:47:05 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4gAAV2DJEpUFtJ4hke%2FmqQbHZnlplLMDF61plnIUVKO4ZAlZk8HnCPzQ9HmXfKfgRj%2FEgCRfx4c0eC%2BVLhxNlg4MvzL4VLYL2Nhy3jorNQnZWmzlV9gHSPRj9zUMVidj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c81ccae01c466-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&min_rtt=1577&rtt_var=603&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=681&delivery_rate=1796923&cwnd=219&unsent_bytes=0&cid=215d810a240fb3bc&ts=456&x=0"
2024-12-27 21:47:05 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	172.67.209.71	443	2172	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 21:47:06 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2024-12-27 21:47:07 UTC	947	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Dec 2024 21:47:07 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 2985 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; hit Vary: Accept-Encoding X-Nf-Request-Id: 01JG51CS0DGXTQGC70P19QW1Y0 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e8%2BcaaQ5uBcIVmC4kiaEShJa64t6bolyDyKZ6jgNM%2BqaQoKJ4smN%2FQBiV00HW69unRYSvYvrNI6OVJ3UmGSvc0HOSOycSuADxMJhFR9x39KJf8YRuoME1zqcD601"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8c81d97d6c428b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1602&rtt_var=708&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2819&recv_bytes=678&delivery_rate=1436301&cwnd=240&unsent_bytes=0&cid=da465c954db9dbe6&ts=587&x=0"
2024-12-27 21:47:07 UTC	422	IN	Data Raw: 64 37 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 20 32 20 31 32 38 20 31 32 35 Data Ascii: d79<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Page not found</title> <style> :root { --colorRgbFacetsTeal600: 2 128 125
2024-12-27 21:47:07 UTC	1369	IN	Data Raw: 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 3a 20 35 33 20 35 38 20 36 32 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 54 65 78 74 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c Data Ascii: ); --colorRgbFacetsNeutralLight700: 53 58 62; --colorGrayDarkest: var(--colorRgbFacetsNeutralLight700); --colorGrayLighter: var(--colorRgbFacetsNeutralLight200); --colorText: var(--colorGrayDarkest); --effectShadowL
2024-12-27 21:47:07 UTC	1369	IN	Data Raw: 69 6e 67 3a 20 32 34 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 76 61 72 28 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c 69 67 68 74 53 68 61 6c 6c 6f 77 29 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 29 29 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 72 Data Ascii: ing: 24px; background: white; border-radius: 8px; box-shadow: var(--effectShadowLightShallow); border: 1px solid rgb(var(--colorGrayLighter)); } a { margin: 0; font-weight: 600; color: r
2024-12-27 21:47:07 UTC	296	IN	Data Raw: 72 73 2e 6e 65 74 6c 69 66 79 2e 63 6f 6d 2f 74 2f 73 75 70 70 6f 72 74 2d 67 75 69 64 65 2d 69 2d 76 65 2d 64 65 70 6c 6f 79 65 64 2d 6d 79 2d 73 69 74 65 2d 62 75 74 2d 69 2d 73 74 69 6c 6c 2d 73 65 65 2d 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 2f 31 32 35 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 34 30 34 70 61 67 65 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 63 6f 6d 6d 75 6e 69 74 79 5f 74 72 61 63 6b 69 6e 67 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 3e e2 80 9c 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 9d 20 73 75 70 70 6f 72 74 20 67 75 69 64 65 3c 2f 61 0a 20 20 20 20 20 20 20 20 20 20 3e 0a 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 20 74 69 70 73 2e 0a 20 20 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 Data Ascii: rs.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125?utm_source=404page&utm_campaign=community_tracking" >page not found support guide</a > for troubleshooting tips. </p>
2024-12-27 21:47:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	16:46:59
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\SharcHack.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SharcHack.exe"
Imagebase:	0x400000
File size:	8'223'744 bytes
MD5 hash:	7B83EC8B52B0960227678156E29C1104
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	16:46:59
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\SharcHack.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\SharcHack.exe"
Imagebase:	0x400000
File size:	77'312 bytes
MD5 hash:	0589483666F8F55DE5CD74FDC3D1B4AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	16:46:59
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"
Imagebase:	0x400000
File size:	8'068'096 bytes
MD5 hash:	9F4F298BCF1D208BD3CE3907CFB28480
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000002.00000003.1707975693.00000000031B1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	16:47:01
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\v2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\v2.exe"
Imagebase:	0x6b0000
File size:	278'016 bytes
MD5 hash:	3F62213D184B639A0A62BCB1E65370A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000003.00000000.1708524074.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000003.00000002.1792575261.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000003.00000002.1792575261.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000003.00000002.1792575261.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: infostealer_win_lighting, Description: Detect the Lighting infostealer based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true